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TAKEA 


Bob  Hayes  has  m^de  a  little  map  of  the  future,  and  it  leads  straight  into  a 
forest  of  ,ppst-9711  regulation.  Hayes  can  help  keep  you  from  getting  .lost. 
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Protection  in  every  iocation. 
Managed  and  integrated 
from  one  iocation. 


Symantec  Security  Management  Console  ^synuntec. 


Introducing  the  Symantec"'  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations, 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you've  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly,  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It's  part  of  a 
revolution  in  information  security,  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  in  the  Enterprise!'  visit 
http://ses.symantec.com/USA659A8VE  or  call  800-745-6054. 


^  Symantec. 


I  AM  A  CISCO 
CATALYST  6500 


I  AM  A  SNARL 
PACK  OF 
DOBERMANS. 


I  AM  INTEGRATED  SECURITY.  I  HAVE  THE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE,  THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ON  THE 
GUEST  LIST  AND  HAVE  THE  POWER  TO  DENY  THOSE  WHO  AREN'T 
ON  IT.  I  SNIFF  OUT  THREATS  SO  YOU  CAN  STAY  PRODUCTIVE.  I  AM 
MORE  THAN  A  CISCO  CATALYST  6500. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  HOW. 


Cisco  Systems 


cisco. com /securitynow 
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28  COVER  STORY 

Chaos  in  a  Three-Ring  Binder 

LEADERSHIP  CHALLENGES  Longtime  CSO  Bob  Hayes 
has  documented  the  reams  of  red  tape  growing  in  the 
shadows  of  9/11.  Is  security  soon  to  become  a  highly 
regulated  activity?  By  Sarah  D.  Scalet 

36  Fear  Factor 

PSYCHOLOGY  OF  SECURITY  In  the  months  follo’wing 
September  11,  prescriptions  for  antianxiety  medication 
climbed  23  percent  in  The  Big  Apple.  Does  your  security 
strategy  put  your  employees  in  a  New  York  state  of  mind? 
By  Daintiy  Duffy 


22  Help  Wanted 

SECURITY  COUNSEL  Tracy  Lenzner,  president  of  the 
LenznerGroup,  an  executive  search  consultancy  that 
places  CSOs,  answers  readers’  questions  about  how 
to  land  a  security  job. 


24  If  You  Can’t  Stand  the  Heat, 

Don’t  Call  ’Em 

FLASHPOINT  If  you’re  not  prepared  to  deal  with  the 
consequences  of  bringing  in  the  authorities,  making 
that  phone  call  can  be  a  bad  business  move. 

By  David  H.  Holtzman 

60  Waving  the  Red  Flags 

CSO  UNDERCOVER  Security  can  play  a  major 
role  in  ensuring  the  integrity  of  the  corporation 
But  it  won’t  happen  vdthout  persistence. 


20  Wonk 


13  Briefing 

Now  share  this;  Incoming  mail; 
The  color  of  privacy;  Lending  a 
plan;  Don’t  let  your  babies  grow 
up  to  be  hackers. 


“The  best  way  to  explain  preincident 
pianning  is  this:  Get  up  from  your  desk 
right  now,  walk  out  the  door  and  know  that 
everything  you  ieave  behind  is  destroyed. 
Then  tomorrow,  go  back  to  work.” 

-BOB  WEAVER,  DEPUTY  SPECIAL  AGENT 
IN  CHARGE,  U.S,  SECRET  SERVICE  FINANCIAL 
CRIMES  DIVISION,  PAGE  48 


42  Hall  Monitors 

E-COMMERCE  Top  infosecurity  pros  offer  five  strategies  for 
keeping  watch  over  e-commerce  risk.  By  Kim  Girard 


Lobbying  the  homeland:  Companies  are  lining  up  to 
get  their  share  of  homeland  security  funding.  And 
they’ve  come  up  with  some  creative  ways  to  get  it. 

By  Julie  Hanson 


48  Setting  the  Course 

ACHIEVEMENTS  The  CSO  Compass  Award  honors  leaders 
who  have  helped  build  a  security  culture  not  just  in  their 
own  organization  but  in  the  broader  business  community 
and  the  nation.  The  honorees  share  their  thoughts  about 
where  security  and  CSOs  are  headed  in  the  future. 


55  Machine  Shop 

What  every  CSO  needs  to  know  about  encryption. 
By  Simson  Garfinkel 

TOOLBOX:  Security  policy  management  software 

64  Debriefing 

It’s  a  fraud,  fraud,  fraud,  fraud  world. 


Cover  photo  by  IN  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Advisers  62  Index 
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Network  Security  Engineers  are  a  phone  call  away. 


To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of; 

•  Network  Security  Engineers  •  Network  Administrators 

•  Programmers  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Help  Desk  Professionals 

With  our  exceptional  connections  to  the  best  technology  talent  available,  we’ll  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  we’ll  do  it  exactly  when  you  need  it. 

Call  today! 


800.793.5533  roberthalftechnology.com 


ROBERT  HALF® 

TECHNOLOGY 

Information  Technology  Professionals 


A  Robert  Half  International  Company 


©  Robert  Half  Technology.  EOE 


csoonime.com 


Security  Counsel 

Richard  J.  Heffernan  is  CEO  of  R.J.  Heffer- 
nan  Associates.  He  has  more  than  25  years 
of  experience  in  risk  analysis,  program 
design,  development,  implementation  and 
the  management  of  information  security 
solutions.  He  can  answer  your  questions 
about  how  to  ensure  the  security  of  data  on 
the  move  at  offsite  meetings  and  confer¬ 
ences.  Visit  SECURITY  COUNSEL  to  post  a 
question,  www.csoonline.com/counsel 


Daily  Dose  of  CSO 

Need  a  daily  fix  of  security  analysis,  news, 
numbers  or  opinions?  Visit  CSOonline. 
Here’s  a  rundown  of  the  fresh  content 
you’ll  find  each  weekday: 

MONDAY 

TALK  BACK  Do  you  have  the  guts  to  test 
your  business  continuity  and  recovery 
plans?  Visit  each  week  to  share  your  opin¬ 
ions  on  this  and  other  topics. 

www.csoonline.com/talkback 


CSO  Research 

Go  online  and  read  exclu¬ 
sive  research  reports  writ¬ 
ten  by  Research  Editor 
Lorraine  Cosgrove  Ware. 
Recent  topics  include 
budgeting,  disaster  recov¬ 
ery  and  our  latest  report, 
“State  of  the  CSO.” 
www.csoonline.com/ 
csoresearch 


Security  A  to  Z 

You  can’t  communicate  the  value  of  secu¬ 
rity  unless  you  know  what  you’re  talking 
about.  From  “abuse  of  privilege”  to  “white 
hat  hacker,”  CSOonline’s  GLOSSARY  has 
got  you  covered.  You’ll  be  speaking  (and 
understanding)  the  industry  lingo  in  no 
time,  www.csoonline.com/glossary 

Free  Newsletters 

We’ll  bring  CSO  right  to  your  inbox  every 
month— for  free.  CSO  UPDATE  highlights 
the  most  recent  content  posted  on  CSOon¬ 
line.  CSO  WANTED  UPDATE  alerts  you  to 
the  latest  security-related  job  openings  in 
our  database.  It  takes  only  a  few  seconds  to 
subscribe,  www.csoonline.com/newsletters 


TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  may  also 
check  the  results  of  previous  polls,  such  as 
“How  concerned  are  you  about  the  security 
risks  of  e-commerce?”  Most  respondents 
(81  percent)  said  they  were  somewhat  con¬ 
cerned.  www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  all  into  one  convenient 
package.  In  a  recent  report,  Gartner  says 
changes  in  business,  IT  and  regulatory 
environments  are  increasing  the  need  for 
comprehensive  business  continuity  plan¬ 
ning.  www.csoonline.com/analyst 

THURSDAY 

METRICS  Did  you  know  that  U.S.  con¬ 
sumers  are  expected  to  lose  $73.8  billion 
to  identity  theft  by  the  end  of  2003?  Visit 
each  week  for  the  statistics  that  matter 
to  security  professionals. 
www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full  text 
of  bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  activity- 
inside  the  Beltway  and  out. 
www.csoonline.com/politics 
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INTRODUCING  REALSECURE 
NETWORK  7.0. 

RELEASED  JUST  AHEAD  OF 
EVIL  THREAT  6.8. 


Dynamic  Threat  Protection.  The  most  complete  protection  available.  Leading  edge  detection,  prevention 
and  response  that  stops  the  bad  guys  cold.  That’s  RealSecure®  Network  7.0.  Our  solution  offers  the  most  accurate  protection  at 
network  speeds  without  slowing  you  down.  Plus,  our  SiteProtector™  centralized  management  system  makes  protecting  a  large  network 
as  simple  as  the  click  of  a  mouse.  Or,  let  us  do  it  for  you  with  our  24/7  Managed  Protection  Services.  Keep  evil  one  step  behind.  Find 
out  why  RealSecure  is  the  market  share  leader,  visit  www.iss.net/iss-cso  or  call  us  at  800-776-2362. 


NSS 

approved 


RealSecure  Network  7.0 

Unified  protocol  analysis  and  pattern  matching  -  that  works 
Analyzes  95  network  protocols  -  catching  even  unknown  attacks 
Nonstop  protection  at  network  speeds  up  to  1Gbps 
Backed  by  X-ForceT  the  world’s  #7  security  intelligence  team 


Internet 

Securito 

Systems! 


■Siifiite 


Chaos  Theory 


Last  month  I  complained  about  carrots.  This  month  I’m  com¬ 
plaining  about  sticks.  Apparently,  there’s  just  no  pleasing  me. 


The  gentleman  on  our  cover  is  Bob  Hayes.  We  posed  him  in  some  woods 
near  his  office,  in  Atlanta,  to  make  the  metaphorical  point  that  a  bunch  of 
dense,  confusing  and  potentially  contradictory  regulations  are  being  promul¬ 
gated  now  by  various  federal,  state  and  local  governments,  as  well  as  by  indus¬ 
try  consortiums  within  the  private-sector  wing  of  the  so-called  critical  infra¬ 
structure.  Hayes,  the  former  security  director  of  Georgia-Pacific,  has  made  a 
thorough  study  of  the  changing  regulatory  climate  (see  Sarah  D.  Scalet’s  cover 
story,  “Chaos  in  a  Three-Ring  Binder,”  Page  28).  He  predicts  that  security  will 
soon  become  one  of  the  most  highly  regulated  areas  of  endeavor  in  U.S.  busi¬ 
ness,  and  he  is  apprehensive  about  the  implications  of  that. 

CSOs  in  affected  industries  will  face  a  mighty  challenge.  As  business  has  long 
asserted,  regulation  imposes  added  costs  and  management  burdens— requiring 
oversight,  compliance  reporting  and,  frequently,  some  extent  of  process  remedi¬ 
ation.  Wliile  the  goals  of  regulation  are  often  worthy,  the  particular  mecha¬ 
nisms  can  be  cumbersome  and  even  foolish.  It  is  probably  too  much  to  ask  that 
the  clever  munchkins  toiling  away  in  this  or  that  agency  coordinate  with  one 
another  while  formulating  regulatory  provisions;  or  that  people  with  deep 
expertise  within  the  affected  industries  make  sure  that  the  measures  reflect 
real-world  practicalities;  or  that  someone  owning  sufficient  clout,  within  the 
Department  of  Homeland  Security  or  some  other  megabureaucracy,  be  empow¬ 


ered  to  reconcile  the  discontinuities  among  clashing 
regulations.  (As  Scalet  observes  in  her  story,  complying 
with  one  regulation  might  require  that  another  either 
be  ignored  or  willfully  flouted.)  Come  what  may,  it  will 
fall  significantly  to  CSOs  to  sort  out  the  mess. 

What  worries  Hayes  the  most  is  the  element  of  sur¬ 
prise.  He  believes  that  CSOs,  by  and  large,  don’t  have 
the  slightest  clue  that  an  onslaught  of  regulatory  load 
is  about  to  crash  over  them,  plunging  their  organiza¬ 
tions  into  waves  of  red  tape.  Perhaps  they  believe  what 
the  Bush  administration  has  energetically  insisted 
throughout  its  tenure— that  carrots  are  so  much  more 
effective  than  sticks.  But  carrots,  as  I  wrote  last  month, 
are  not  sufficient  to  guarantee  a  consistently  high  level 
of  security.  Unless  the  force  of  compulsion  is  brought 
to  bear  on  private  enterprises  in  reasonable  ways,  there 
is  no  certainty  that  our  critical  infrastructure  will  be 
well  protected. 

Bob  Hayes’s  call  to  action  is  roughly  as  follows:  If 
CSOs  don’t  get  in  front  of  this  process— if  they  simply 
let  it  happen  without  becoming  aggressively,  construc¬ 
tively  involved— then  they  will  surely  suffer  the  conse¬ 
quences  of  Murphy’s  Law.  Left  to  the  unaided  devices 
of  the  regulation  makers,  chaos  and  arbitrariness  will 
take  hold.  The  world  will,  ironically,  be  made  less 
secure.  And,  in  addition,  way  more  stupid. 

-Lew  McCreary 
mccreary  @  cxo.  com 
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CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

>>CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


‘Winner  of  the  ‘‘Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 
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CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’s  editors  * 
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Senior  Director  of  Information  Technology 
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STEVE  KATZ 

President,  Security  Risk  Solutions 
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ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world.  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 
worldwide  IT  spending,  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld, 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines,  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  (www.idg.net),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 
company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


*The  advisers'  participation  does  not  imply  an  endorsement  of  the  magazine's  content  or  opinions. 


“The  challenge  of  trust  is  that  it  is  usually  hard 
to  establish— but  so  easy  to  destrcw.  It  can  take 
months  or  years  of  interaction  belore  people 
trust  each  other  or  a  particular  technology.” 

-DOROTHY  DENNING,  PROFESSOR, 
DEPARTMENT  OF  DEFENSE  ANALYSIS,  NAVAL  POSTGRADUATE  SCHOOL 

(SEE  “SETTING  THE  COURSE,”  PAGE  48) 
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Companies  everywhere  are  facing  a  new  kind  of  threat. 
Fortunately,  there’s  a  new  level  of  protection. 


Introducing  Application  Intelligence  only  from  Check  Point. 

The  Internet  is  evolving.  So  is  the  technology  that  keeps  it  secure.  Now  Check  Point  introduces 
Application  Intelligence— a  major  breakthrough  in  the  evolution  of  Internet  security  and  a  definitive 
response  to  the  growing  problem  of  application  level  attacks.  With  Application  Intelligence  integrated 
into  Check  Point  FireWall-1  and  Smart  Defense,  your  business-critical  systems  are  safe  from  both 
network  and  application  level  attacks.  By  providing  the  world’s  only  truly  integrated  security  infrastructure,  Point 

Check  Point  centralizes  and  strengthens  your  defense  against  attack  at  every  level,  every  location.  Want 
to  take  Internet  security  to  the  next  level?  Get  the  revealing  new  white  paper  that  tells  you  everything 
you  need  to  know  about  the  latest  cyber  threats,  “Internet  Security  Redefined:  A  new  level  of  integration, 
a  new  level  of  protection.”  at  www.checkpoint.com/appint/cso 
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Now  Share  This 


TERRORISM  They  say  there’s  safety  in  numbers.  Well,  the  gov¬ 
ernment  has  just  added  another  agency.  Feel  any  safer? 

The  latest  effort  at  government  information  sharing  comes  in  the 
form  of  the  Terrorist  Threat  Integration  Center,  dubbed  the  TTIC. 

The  TTIC  will  collect  information  on  terrorist  activities,  evaluate 
that  information  and  circulate  it  to  the  appropriate  government 
agency.  “What  we’re  trying  to  do  is  have  the  TTIC  serve  as  the  cen¬ 
tral  hub  to  provide  and  receive  information,”  says  John  Brennan, 
the  TTIC’s  new  director.  But,  because  Brennan  reports  to  George 
Tenet,  director  of  the  CIA,  the  new  center  is  perceived  by  many  as 
just  another  CIA  operation— which  will  deny  the  TTIC  the  inde¬ 
pendence  it  needs  to  succeed.  If  it  is  perceived  as  an  offshoot  of  the 
CIA,  some  intelligence  experts  worry  that  the  TTIC  may  face  the 
same  distrust  that  other  Washington  intelligence  agencies  have  for 
the  CIA.  The  CIA  has  long  been  viewed  as  an  island  unto  itself— an 
island  that  has  failed  to  share  intelligence  information.  “The  TTIC 
is  not  going  to  be  as  effective  as  it  could  be  for  the  simple  reason 
that  it’s  going  to  be  attached  at  the  hip  with  the  CIA,”  says  Phil 
Anderson,  a  senior  fellow 
and  head  of  homeland 
security  for  the  Center  for 
Strategic  &  International 
Studies. 

Still,  the  center  will 
serve  an  important  pur¬ 
pose,  notes  Anderson. 

“The  TTIC  is  going  to  in¬ 
tegrate  information  from 
the  federal,  state  and  local 
level  as  well  as  the  private 
sector,”  he  says.  ‘"You’re 
talking  about  a  lot  of 
information  and  specific 
analysis  that  hasn’t  been 
done  by  one  entity  up  to 
this  point.” 

-Paul  Roberts  Many  of  you  are  so  concerned  about  the  risks 

of  e-commerce  that  you  don’t  engage  in  it  at 
all.  To  understand  the  risks,  read  Kim  Girard’s 
story,  “Hall  Monitors,’’  on  Page  42. 


CSO  SECURITY  CHECK 


How  concerned  are  you  about  the 
security  risks  of  e-commerce? 


INCOMING  MAIL 


LEGISLATION  If  you’ve  got  mail,  you’re  probably  swimming 
in  spam— and  the  tide  is  rising.  However,  a  newly  proposed  national 
Do  Not  Spam  list,  similar  to  the  Do  Not  Call  registry  aimed  at  curbing 
telemarketers,  offers  some  hope.  Question  is,  will  it  work? 

Some  states— 28  or  so— have  enacted  antispam  legislation  of  one 
sort  or  another,  but  federal  law  has  yet  to  follow  their  lead.  The  Burns- 
Wyden  bill  (also  called  the  Can-Spam  bill)  has  been  kicked  around  in 
Congress  but  hasn’t  been  passed.  “It’s  a  bad  bill,  and  in  a  rare  flash 
of  insight.  Congress  decided  not  to  make  it  into  a  bad  law,”  says  a 
wry  John  Mozena,  cofounder  of  spam-fighting  organization  Cauce 
(Coalition  Against  Unsolicited  Commercial  E-mail).  Mozena  says  that 
although  it’s  touted  as  an  antispam  bill,  Burns-Wyden  would  actually 
have  the  opposite  effect  because,  with  a  few  simple  steps,  marketers 
can  turn  spam  into  legitimate,  legal  marketing  messages. 

Instead,  Mozena  favors  New  York  Sen.  Charles  Schumer’s  forth¬ 
coming  Do  Not  Spam  bill.  The  draft  includes  civil  and  criminal  penal¬ 
ties  for  spammers,  including  potential  jail  time  for  repeat  offenders. 

Unfortunately,  the  nature  of  e-mail  makes  stopping  spam  a  bit 
more  difficult  than  stopping  telemarketing  calls.  Cauce  is  lobbying 
for  two  revisions  to  make  the  Do  Not  Spam  draft  more  effective,  says 
Mozena.  First,  it  wants  domain  holders  to  be  able  to  block  their  entire 
domain  from  spam  so  that  all  addresses  ending  in  their  domain 
names  would  be  protected.  Second,  individuals— not  just  attorneys 
general— must  be  allowed  to  pursue  legal  action  against  spammers. 
"Even  if  it’s  just  in  small-claims  court,  $500  per  claim  can  cut  spam¬ 
mers’  profit  margins  and  deter  spam,"  Mozena  says. 

If  Mozena’s  analysis  is  right,  consumers  will  be  eager  to  support 
Schumer’s  bill.  Other  legislative  proposals  are  coming  too,  including 
a  bill  referred  to  as  Tauzin-Pence.  “We’ve  seen  the  drafts,  and 
believe  it  or  not,  it’s  worse  than  Burns-Wyden,"  Mozena  sighs. 

“We  call  it  the  Spammer’s  Bill  of  Rights."  -Derek  Slater 
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Briefing 


imitation  may  be 

the  sincerest  form  of  flattery,  but  the 
Electronic  Privacy  Information  Center 
(EPIC)  clearly  wasn’t  complimenting  the 
Department  of  Homeland  Security  when  it 
imitated  its  color-coded  threat  advisory 
system. 

In  April,  EPIC  announced  the  establish¬ 
ment  of  a  Privacy  Threat  Index  to  track 
what  it  sees  as  the  growing  erosion  of 
privacy  by  government  surveillance.  The 
Privacy  Threat  Index  mimics  the  Home¬ 
land  Security  bar  chart  with  green,  blue, 
yellow,  orange  and  red  signaling  low, 
guarded,  elevated,  high  and  severe  threat 
conditions,  respectively. 

At  its  announcement,  EPIC  assessed 
the  current  threat  to  privacy  at  a  yellow 
condition,  citing  some  of  the  following 
factors: 

■  Expanded  use  of  the  Foreign  Surveil¬ 
lance  Act,  which  permits  the  government 
to  conduct  surveillance  without  the  safe¬ 
guards  afforded  by  the  Fourth  Amend¬ 
ment. 

■  Increased  funding  for  surveillance 
systems,  such  as  immigration  control  and 
video  surveillance. 

■  Consideration  of  the  Domestic  Secu¬ 
rity  Enhancement  Act,  termed  by  some 
Patriot  II,  which  would  expand  the  govern¬ 
ment’s  ability  to  conduct  surveillance. 

-Daintry  Duffy 
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HELP  YOURSELF 


CSO  ROUNDTABLE  If  you’re  waiting  for  the  government 
to  secure  cyberspace,  it’s  going  to  be  a  while.  During  a  recent 
CSO  roundtable  in  Boston,  Richard  Clarke,  former  special 
adviser  to  the  president  for  cyberspace  security,  said  that 
CSOs  looking  for  the  federal  government  to  take  the  lead  on 
cybersecurity  should  look  elsewhere.  Though  he  praised  the 
president’s  National  Strategy  to  Secure  Cyberspace— a  plan  he 
helped  draft— Clarke  said  that  the  massive  new  Department 
of  Homeland  Security,  in  theory  the  government’s  lead  agency 
for  cybersecurity  and  threat  information  analysis,  exists  only 
on  paper. 

It  will  be  five  to  seven  years  before  the  22  federal  agencies 
that  make  up  the  DHS  shake  off  their  distinctive  cultures  and 
begin  functioning  together  as  parts  of  a  new  department, 
Clarke  said.  “Think  of  AOL  Time  Warner  or  Hewlett-Packard 
and  Compaq,  and  then  multiply  those  mergers  by  22,”  he  said. 
Beyond  the  organizational  challenges  facing  the  DHS, 

Clarke  noted  that  the  government  must  clean  up 
its  own  house.  Audits  by  the  General  Account¬ 
ing  Office  and  others  have  consistently  given 
federal  agencies  low  marks  for  IT  security.  Gov¬ 
ernment  CIOs  are  far  from  trendsetters  in  the 
area  of  IT  security  and  often  fall  victim  to  the 
same  security  holes  and  viruses  that  afflict  cor¬ 
porations  and  home  users. 

The  solution  for  both  the  federal  government 
and  private-sector  organizations  is  simple, 
according  to  Clarke:  Reduce  the  number  of 
product  vulnerabilities.  First  and  foremost,  soft- 
Richard  Clarke  ware  developers  need  to  be  trained  to  write  bet¬ 

ter  code  with  fewer  security  flaws,  such  as  buffer 
overflows.  They  also  need  to  revamp  the  development  and 
deployment  of  software.  In  addition,  companies  that  address 
these  issues  and  bring  together  the  people  responsible  for 
physical  and  IT  security  with  those  in  HR  and  legal  will  likely 
find  themselves  better  able  to  anticipate  and  respond  to  secu¬ 
rity  threats.  But  all  of  those  things  take  time.  -Paul  Roberts 
(To  hear  more  from  Clarke,  read  “Setting  the  Course,” 

Page  48.) 


Shreds  of  Evidence 

Roughly  1  in  4  employees  look  m  the  copier 
room  wastebasket  or  recycling  bin  to  find  out  what 
coworkers  have  been  copying. 

linlO  have  tried  to  reconstruct  shredded 
documents. 
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Lending  a  Plan 


Who  Wants  to  Marry  a 
Software  Vendor? 

OPEN  SECURITY  EXCHANGE  Some  marriages,  by  virtue 
of  the  personalities  involved,  are  entertaining  to  watch.  The  Open  Secu¬ 
rity  Exchange  will  be  that  kind  of  union.  The  exchange  weds  infosecurity 
and  physical  security  vendors  to  present  customers  with  a  merged  front 
that  will  mirror  the  union  of  info-  and  physical  security  under  the  CSO. 

The  hope  is  that  the  partnership  will  result  in  new,  unified  standards 
for  security  products  and  best  practices.  Currently,  the  OSE  includes  soft¬ 
ware  vendor  Computer  Associates  and  physical  security  vendors  HID 
(access  systems  maker),  Gemplus  (smart  card  maker),  and  Tyco  Fire 
and  Securities  Software  House. 

Like  every  marriage,  this  one  is  starting  off  with  a  lot  of  opti¬ 
mism.  The  OSE  website  claims  it  “is  dedicated  to  an  open,  collabo¬ 
rative  partnership.”  The  exchange  might  be  a  boon  for  vendors, 
which  will  benefit  from  pooled  resources  and  bundled  services— 
neither  of  which  will  be  a  bad  thing  for  the  CSO.  If  it  allows  cus¬ 
tomers  to  get  their  hands  on  products  at  a  lower  cost  with  greater 
ease,  that's  fine.  But  none  of  that  will  have  any  significant 
impact  on  the  creation  of  real  standards  or  “open”  anything.  If  the 
OSE  is  serious  about  standardization,  it  needs  input  from  hundreds 
more  vendors,  independent  third  parties  and  customers. 

Watching  who  decides  to  join  OSE  will  be  telling.  Technology  ven¬ 
dors  are  notorious  for  fake  standards,  which  turn  out  to  be  nothing  more 
than  ways  to  lock  customers  into  proprietary  technology.  When  technol¬ 
ogy  vendors  do  try  to  create  real  standards,  politics  and  infighting  over 
technical  specs  inevitably  lock  up  the  process. 

Never  mind  what  customers  will  think  if  the  OSE  turns  out  to  be  noth¬ 
ing  more  than  vendors  marketing  faux  standards.  What  will  the  standard¬ 
ized  world  of  physical  security  vendors  think  of  infosecurity’s  dalliances? 
As  we  all  know,  honeymoons  don’t  last  forever.  -Scott  Berinato 
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RESEARCH  While  it’s  true  that  the  government  was  able 
to  come  up  with  that  color-coded  Homeland  Security  threat 
level  system  all  on  its  own,  some  academics  think  the  feds 
could  use  a  hand.  In  January,  Carnegie  Mellon  University, 

Penn  State,  the  University  of  Pennsylvania  and  the  University 
of  Pittsburgh  formed  the  Keystone  Homeland  Security  Univer¬ 
sity  Research  Alliance.  Its  goal  is  to  develop  new  technologies 
to  protect  the  nation's  critical  infrastructure.  The  projects 

under  way  at  each  member  university  cover 
a  broad  spectrum, 
from  meteorology  and 
agriculture  to  public  health 
and  nanotechnology.  Here’s 
a  rundown  of  some  of  the 
projects. 

Carnegie  Mellon  Univer¬ 
sity,  home  of  the  com¬ 
puter  security-focused 
•  CERT  Coordination 
j  Center  and  Software 
I  Engineering  Institute, 

I 

is  doing  work  in  the 
field  of  robotics. 

/  Researchers  are  devel- 
oping  robotic  snakes  that, 
equipped  with  sensors  and 
cameras,  can  slither  into  small 
spaces  such  as  pipes  and  air 
ducts,  and  could  be  helpful  in  the  search 
for  survivors  trapped  in  buildings. 

At  Penn  State’s  Applied  Research  Laboratory,  researchers 
are  working  with  the  Department  of  Defense  to  develop 
portable,  real-time  sensors  capable  of  detecting  trace  levels 
of  chemical  and  biological  agents  below  lethal  concentration. 
Penn  State  meteorologists  are  also  working  on  programs  that 
will  help  deliver  accurate  weather  forecasts  to  military  per¬ 
sonnel  from  the  field,  and  are  analyzing  cloud  dispersal  pat¬ 
terns  to  help  public  health  officials  predict  the  spread  of 
hazardous  gases. 

The  University  of  Pennsylvania’s  Institute  for  Research  of 
Cognitive  Science  is  developing  technology  to  decipher  for¬ 
eign  language  surveillance  data  quickly  and  efficiently.  Also, 
researchers  in  the  veterinary  school’s  pathobiology  depart¬ 
ment  are  studying  the  effect  of  diseases  such  as  the  West  Nile 
virus  on  agriculture. 

The  University  of  Pittsburgh  has  developed  software  called 
Realtime  Outbreak  and  Disease  Surveillance  (RODS).  The 
program  monitors  reported  cases  of  the  flu,  respiratory  ill¬ 
nesses  and  other  diseases  for  patterns  that  might  suggest  the 
beginning  of  an  outbreak  or  terrorist  attack.  The  RODS  soft¬ 
ware  was  used  at  the  2001  Winter  Olympics  and  is  now  in  use 
at  hospitals  in  Utah  and  Pennsylvania.  The  university  is  also 
offering  a  certificate  program  in  public  health  preparedness  to 
help  EMTs,  police  and  fire  personnel  ready  themselves  for 
health-crisis  situations.  -Simone  Kaplan 
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-SPECIAL  AGENT  NANCY  SAVAGE,  PRESIDENT 
OF  THE  FBI  AGENTS  ASSOCIATION,  IN  AN  INTERVIEW  WITH  TIIK  liOSTOX  GLOBE 
'  CONCERNING  THE  RECENT  RESIGNATIONS  OF  SEVERAL  SPECIAL  AGENTS 
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to  Be  Hackers 

QAA  If  there’s  one  thing  Sarah  Gordon 
understands,  it’s  the  mind  of  the  virus  writer. 
In  her  current  position  as  a  senior  research 
fellow  for  the  Symantec  Antivirus  Research 
Center,  Gordon  conducts  research  on  the 
ethical  implications  of  technology  and  the 
psychological  aspects  of  human-computer 
interaction.  Recently,  we  asked  her  what 
makes  virus  writers  tick. 

CSO:  What  did  you  find  when  you  unraveled 
the  hackers'  psyche? 

Sarah  Gordon:  Like  many  young  people 
engaging  in  at-risk  behaviors,  virus  writers 
often  don’t  comprehend  the  consequence  of 
their  actions  for  themselves  or  others.  That, 
coupled  with  their  ordinary  “boy-or-girl- 
next-door-ness,”  makes  them  not  so  differ¬ 
ent  from  most  young  people. 

However,  somewhere  there  is  a  funda¬ 
mental  disconnect  between  virus  writing  and 
acknowledging  the  large-scale  conse¬ 
quences  of  those  actions. 

How  have  virus  writers  evolved  over  the 
years? 

The  motivations  for  virus  writing  have 
remained  pretty  consistent,  but  times  do 
change.  We’ve  begun  to  observe  blended 
threats  that  combine  the  replication  require¬ 
ment  of  a  virus  with  other  attack  characteris¬ 
tics  such  as  exploiting  vulnerabilities.  That 
could  indicate  that  their  skill  sets  are  evolv¬ 
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ing.  Nimda,  for  example,  sent  itself  via  e-mail 
and  then  also  exploited  unpatched  servers. 
Bugbear,  another  blended  threat,  spread 
through  network  shares  but  also  logged  key¬ 
strokes  and  functioned  as  a  back  door. 

How  have  the  writers’  goals  or  methods 
changed? 

The  methods  adapt  to  follow  the  technology. 
People  say  these  kids  are  getting  smarter,  but 
that  is  not  the  case.  The  technologies  are 
becoming  more  complex  but  Ironically  much 
simpler  to  manipulate.  That,  coupled  with  the 
innate  curiosity  of  young  people,  creates  a 
ripe  environment  for  such  exploration. 

What  elements  of  computer  evolution  have 
made  the  virus  writer’s  job  easier? 

System  homogenization  [the  increasing 
standardization  of  products  and  protocols] 
is  part  of  the  problem,  but  there  are  other 
aspects  as  well.  Supervision  is  another  key 
area.  In  some  countries,  kids  are  just  now 
getting  wired  into  the  Net— without  supervi¬ 


sion.  Imagine  their  wide-eyed  wonder  upon 
discovering  something  like  self-replicating 
programs— commonplace  and  not  all  that 
complex  to  the  experienced  programmer. 
These  things  seem  like  magic  to  the  new¬ 
comer.  Also,  remember  that  the  differentia¬ 
tion  between  positive  and  negative  attention 
is  not  necessarily  a  given  for  young  people. 

If  I  were  to  ask  you  to  look  into  the  future, 
what  do  you  expect  to  see  from  the  virus¬ 
writing  community  in  the  next  few  years? 

The  community  as  we  know  it  will  not  exist 
in  the  future— rather,  it  will  be  an  evolved 
community  reflecting  the  norms  and  atti¬ 
tudes  of  the  people  involved.  Additionally, 
the  technology.  Its  functionality  and  its 
accessibility  will  play  a  role.  These  commu¬ 
nities  don’t  exist  in  a  vacuum.  They  are  part 
of  a  larger  computing  environment,  and  we 
will— either  consciously  or  unconsciously,  by 
action  or  inaction— play  a  role  in  how  they 
develop.  ■ 


VPN  /  Remote  Access 
bigitai  Certificate'^-.  ;i 


FIU-710 

Fingerprint  Identity  Token 


FIU-600 

Fingerprint  Identity  Device 


FJU-900 
Memory  Stick* 
Fingerprint  Identity  Token 


Password-protected  Web  sites  and  applications  can  now  be  accessed  without  having  to  remember  a  long  list 
of  passwords.  Simply  place  your  finger  on  the  pad,  and  click,  you're  there!  Unlike  a  password,  your  fingerprint 
can't  be  forgotten  or  stolen!  The  Sony  line  of  Puppy®  Fingerprint  Identity  Products  provides  personal 
authentication,  network  access,  and  file  encryption,  as  well  as  more  robust  public  key  infrastructure  (PKI) 
transactions,  personal  digital  certificates,  and  Virtual  Private  Networks...  all  accessible  at 
f  t'UH'Y  a  touch  within  your  existing  IT  infrastructure.  And  there's  no  way  someone  else  can  ever 

gain  access  to  your  fingerprint  file,  because  its  record  never  has  to  leave  the  device.  Unlike 
other  fingerprint  ID  systems,  only  Sony  can  scan,  match  and  store  your  private  fingerprint 
information  onboard.  How's  that  for  secure? 

When  you  consider  Sony's  background  in  imaging  and  electronics,  it's  not  surprising  that 
the  line  of  Puppy®  Fingerprint  Identity  Products  is  the  Work  Smart  approach  to  security. 

Work  Smart.  Work  Sony. 


VISIT  WWW.SONY.COM/PUPPY  FOR  INFORMATION  ON 
SONY’S  FULL  LINE  OF  FINGERPRINT  IDENTITY  PRODUCTS. 


spuppy 

Sony  Puppy®  Fingerprint  Identity  Products 
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Password 


File  Security 
Encryption 


Web  Portal 
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Paperless  Contracts 
Digital  Signature  '  . 
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IT  DOESN’T  JUST  RECOGNIZE  YOUR  FINGERPRINT; 

IT  RECOGNIZES  YOU. 


The  Who,  What  and  Why  of  Washington 


Lobbying  the  Homeland 

Companies  are  lining  up  to  get  their  share  of  homeland  security  funding. 
And  they’ve  come  up  with  some  creative  ways  to  get  it.  By  Julie  Hanson 


HERE’S  MONEY  TO  BE  HAD,  IF  YOU 
know  where  to  look.  President  Bush’s  proposed 
budget  for  the  Department  of  Homeland  Secu¬ 
rity  allocates  $350  million  in  new  funding  for 
the  research  and  development  of  security- 
specific  projects,  in  addition  to  $373  million 
for  technology  investments  that  address  border 
security.  Technology  and  R&D  companies  are 
clamoring  for  their  share  of  the  pot. 

And  they’ll  do  whatever  it  takes.  Companies 
that  have  used  lobbyists  to  get  defense  contracts 
from  groups  such  as  Congress’s  armed  services 
committees  are  now  adding  the  DHS  to  the  list. 
Some  companies  are  taking  a  different  route 
and  bypassing  lobbyists  alto¬ 
gether.  Instead,  they  are  look¬ 
ing  internally— to  their  own 
sales  force— to  prove  to  the 
government  that  they  deserve 
funding.  Still  others  have  cho¬ 
sen  to  outsource,  hiring  PR 
firms  to  do  the  lobbying  dirty 
work  for  them. 

PoliticalMoneyLine.com,  a 
website  that  tracks  lobbyist 
registrations,  reports  that  as 
of  April  2003,  569  companies 
had  registered  a  homeland 
security  lobbyist.  Of  the  com¬ 
panies  registering,  the  major¬ 
ity  are  technology  and  security 
firms,  in  addition  to  some 
biotech  companies.  “Homeland  defense  is  a 
growth  industry,  and  I  think  a  lot  of  these  com¬ 
panies  foresee  the  need  to  get  in  on  the  earliest 
contracts;  they  don’t  want  to  be  left  out,”  says 
Kent  Cooper,  a  principal  officer  for  Political- 
MoneyLine.com. 

Many  companies  are  bypassing  lobbyists, 
requiring  their  sales  staff  or  procurement  offices 
to  educate  themselves  on  selling  to  the  govern¬ 
ment,  says  Rick  White,  president  and  CEO  of 


TechNet,  which  represents  the  CEOs  of  more 
than  200  companies  predominantly  from  the 
technology  industry.  According  to  White,  the 
strength  of  lobbyists  lies  in  their  ability  to  lobby 
for  policy.  However,  if  you  are  looking  to  sell 
products,  he  thinks  a  more  effective  approach 
is  to  develop  a  sales  staff  that  knows  how  to 
work  with  Washington. 

“The  private  sector  was  so  hot  [in  the  ’90s], 
and  many  companies  did  not  focus  on  govern¬ 
ment,”  White  says.  “The  bubble  burst,  and  the 
government  became  the  number-one  client  in 
town.. .now  there  are  salespeople  who  are  all  of 
a  sudden  learning  about  the  government.”  Scott 
Pastrick,  president  and  CEO 
of  BKSH,  the  government 
relations  arm  of  PR  firm 
Burson-Marsteller,  says  a 
few  dozen  companies  have 
contacted  him  in  the  past 
three  months  about  hiring 
BKSH  to  help  with  both 
homeland  security  lobby¬ 
ing  and  working  through 
government  red  tape.  And, 
he  adds,  many  of  his  exist¬ 
ing  clients  have  added 
homeland  security  to  the 
list  of  issues  they  would  like 
BKSH  to  lobby  for  on  their 
behalf. 

Pastrick  hears  these 
questions  most  often:  How  can  we  work  with 
the  government?  Whom  can  we  talk  to?  What 
should  we  be  prepared  for?  “We  are  telling 
companies  to  be  patient  and  agile,”  he  says. 
“Until  there  is  an  organizational  chart  and  seats 
get  filled  [in  the  DHS]  we  will  be  in  a  learning 
curve.”  A  learning  curve  that  will  likely  con¬ 
tinue  for  quite  some  time  as  the  country  strug¬ 
gles  with  the  question  of  how  to  protect  our 
nation’s  critical  infrastructure.  ■ 


Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 

A  research  and  development  cyber¬ 
security  center  will  be  created  by  the 
Department  of  Homeland  Security,  says 
Charles  McQueary,  DHS’s  undersecre¬ 
tary  for  science  and  technology.  The  DHS 
will  partner  with  the  National  Science 
Foundation  (NSF)  and  National  Institute 
of  Standards  and  Technology  (NIST). 
The  center’s  primary  goals:  to  conduct 
cybersecurity  research;  foster  public- 
and  private-sector  communication: 
support  the  department’s  information 
analysis  and  infrastructure  protection 
mission:  and  work  with  NSF  on 
educational  programs. 

Sen.  Conrad  Burns  (R-Mont.)  has 
introduced  the  Can-Spam  Act  of 
2003  (S.  877).  With  this  bill,  all  unso¬ 
licited  marketing  e-mail  would  need  a 
valid  return  e-mail  address.  The  bill 
would  also  let  ISPs  take  legal  action.  For 
more,  read  “Incoming  Mail,”  Page  13. 

A  handful  of  federal  agencies,  including 
the  Federal  Trade  Commission  and  the 
Securities  and  Exchange  Commission, 
have  filed  45  criminal  and  civil  law 
enforcement  actions  against  Internet 
scammers  and  deceptive  spammers. 
They’re  targeting  a  wide  array  of 
schemes,  including  auction  fraud,  the 
illegal  sale  of  controlled  substances, 
bogus  business  opportunities,  money¬ 
making  scams  and  ID  theft.  The  FTC 
named  20  defendants  in  the  lawsuits. 

NIST  has  released  a  draft  of 

“Standards  for  Security  Catego¬ 
rization  of  Federal  Information 
and  Information  Systems” 

(Federal  Information  Processing 
Standard  199).  The  document  sets 
standards  for  how  federal  agencies  will 
categorize  the  security  level  of  their 
systems,  and  it  sets  guidelines  for  mini¬ 
mum  information  security  requirements. 
The  draft  is  available  at  www.nist.gov. 


News  from  Washington 

To  read  more  about  what's  happening  in 
Washington,  D.C.,  visit  our  website. 


www.csoonline.com/wonk 


Rick  White,  president  and  CEO  of 
TechNet 
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Can  you  find 
every  rogue  device 
on  your  network? 
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We  can. 


Take  control  of  your  network  perimeter 
using  FreeMap,  a  new  free  service  from  Qualys. 
Register  now  at  freemap.qualys.com. 


Qualys  FreeMap"  is  a  web-based  service  that  lets  you  discover  devices,  identify  their  operating 
systems  and  create  a  visual  topology  of  your  entire  network. There's  no  software  to  install  or 
maintain,  making  it  easy  to  identify  and  monitor  all  your  network  entry  points,  including  routers, 
VPN  servers  and  wireless  access  points.  Qualys  FreeMap  also  enables  you  to  query  DNS  records 
so  you  can  identify  obsolete  or  rogue  devices. 

Take  advantage  of  this  valuable  service  before  someone  takes  advantage  of  your  network. 


\ 


qualys 


For  product  information,  call  toll-free  1  -800-745-4355.  ©  2003  Qualys,  Inc.  All  Rights  Reserved. 


Help  Wanted 

Tracy  Lenzner,  president  of  the  LenznerGroup,  an  executive 
search  consultancy  that  places  CSOs,  answers  readers’ 
questions  about  how  to  land  a  security  job 


Q:  What  are  employers  looking  for  when  hiring  a  CSO? 

A:  That’s  a  million  dollar  question— and  answer.  The  experience  required  is 
dependent  on  many  factors.  For  starters,  the  type  of  company,  its  size,  location 
industry  and  regulatory  requirements— both  domestically  and  globally— factor 
in  significantly.  Industry-specific  and  functional-specific  experience  are  also 
key.  Candidates  must  be  astute  business  executives  in  security  with  a  strong 
emphasis  in  IT  infrastructure,  privacy,  risk,  fraud, 
audit  and  investigations  that  blends  technology, 
business  applications  and  corporate  initiatives.  Back¬ 
grounds  may  also  include  experience  in  a  high- 
profile  security  role  and  the  following: 

■  Solid  work  in  both  security  and  related  indus¬ 
tries  with  strong  knowledge  of  privacy,  risk  and 
global  issues  facing  the  industry 

■  Contacts  within  appropriate  government  agen¬ 
cies  to  increase  leverage  and  information  flow  on 
issues,  legislation  and  trends 

■  Operational  background  with  business  case 
development,  financial  administration  and  experi¬ 
ence  developing  product  profit  and  loss  statements 

■  Demonstrated  leadership  ability  to  provide 
direction  to  a  diverse  workforce 

Q:  How  can  a  candidate  for  a  CSO  position  demonstrate  his  qualifications? 

A:  Some  skills  are  easily  quantifiable,  such  as  number  of  years’  experience,  edu¬ 
cation  (an  undergraduate  degree  is  most  often  required,  and  an  advanced 
degree  and  CISSP  are  usually  desired),  size  and  type  of  industries  seiwed. 

Personality  traits  must  be  accurately  assessed  in  terms  of  benchmarking, 
chemistry  and  soft  skills.  Requirements  will  include: 

■  A  style  and  presence  that  quickly  earns  the  respect  of  the  technology  and 
business  executives 

■  Ability  to  coordinate  across  organizational  boundaries  and  demonstrate 
results  witbin  various  business  areas 

■  Credibility  as  a  security  professional  with  the  ability  to  conceptualize  but 
also  sell  the  concepts  to  the  organization 

■  Strong  interpersonal  skills 

■  Inherent  energy,  enthusiasm,  integrity  and  a  tireless  work  ethic 

■  Diplomacy 

■  Capability  to  develop  new  and  creative  ideas 

■  Polished  public  speaking  and  writing  skills 


Q:  I  currently  report  to  the  global  CSO.  I’m  getting  bored 
and  wonder  about  the  best  way  to  plan  for  my  next  step. 
Do  years  of  experience  always  trump  ability? 

A:  From  a  reporting  relationship  and  functional  stand¬ 
point,  you  are  in  a  good  position.  While  the  number  of 
years  can  be  important,  what  you  do  during  those  years 
is  what  matters.  There  are  many  things  you  can  achieve 
to  progress  your  career.  For  example,  do  you  currently 
perform  presentations  both  internally  and  externally  to 
trade  groups  or  conferences?  Are  you  active  in  profes¬ 
sional  associations?  Do  you  possess  a  CISSP  or  other 
advanced  degree  or  certification?  When  was  the  last  time 
you  updated  your  resume  or  tweaked  your  professional 
bio?  Are  you  current  on  the  new  technologies,  issues, 
trends,  legislation  and  business  issues  of  security?  Are 
you  involved  in  strategy,  implementation  and  global  ini¬ 
tiatives?  How  is  your  speaking  and  writing  perform¬ 
ance?  And  what  are  you  currently  doing  to  progress  in 
these  areas?  If  you  can  answer  all  of  those  questions, 

great  for  you.  If  you  have  holes  in 
any  areas,  get  to  work. 

Q:  Any  advice  for  those  over  50 
years  old  who  want  to  land  a  CSO 
position? 

A:  It’s  never  too  late.  If  you  have  a 
progressive  career  record  manag¬ 
ing  and  leading  large  global 
organizations,  you  have  a  good 
start.  Notwithstanding,  at  this 
point  in  your  career,  you  need  to 
possess  all  the  right  stuff.  For 
anyone  seeking  or  holding  a  CSO 
position,  there  is  a  relatively 
small  learning  curve  available.  At 
that  level,  a  critical  ingredient  is 
to  become  knowledgeable  of  the  corporate  environ¬ 
ment,  to  rapidly  establish  oneself  as  an  effective  member 
of  the  executive  team  and  to  be  able  to  strategize.  One 
must  have  the  ability  to  proactively  deal  with  ambigu¬ 
ity,  possess  flexibility  and  build  consensus  throughout 
tenure.  A  high  level  of  experience,  effectiveness,  vision, 
determination  and  knowledge,  coupled  with  integrity, 
professional  and  business  acumen  are  essential.  A  cer¬ 
tain  degree  of  charisma  to  effectively  articulate  busi¬ 
ness  and  technology  issues  is  also  a  plus.  ■ 


Ask  Your  Peers  ^^ 

Have  a  security  topic  to  suggest  or  an  expert  you'd  like  to  hear  from? 
Send  your  thoughts  to  Assistant  Managing  Editor  Kathleen  Carr  at 
kcarr@cxo.com.  Go  online  to  see  what  your  peers  are  discussing. 


www.csoonline.com/counsel 


22 


www.csoonline.com  July  2003 


PHOTO  BY  JEFFREY  GREEN 


CIO  keeps 

s«„„ed  fa»n,  creaus  NoUa  IP  Secunly  Sy.  ; 


Four  days  after  Tndei 

game,  local  businessman 
follows  through  o"  j  g, 

take  my  son  places  b^ore  “u  feelini 

it  1  don’t  know  how  to  tlescn^ 
well,  it’s  hheyeel  good  «sid^ 

Thanks  to  Nokia  Ge  aW  c^ 

work  IS  secure  so  that  he  ^a 

Spend  their  time  cRM  systen 

enjoy  more 
their  families 

isn’t  the  only  c 

his  time  m 
these  days, 
out  of  the 
Security  Sy 
employee  Dt 

Ml  -  lS“«il 

focused,  creative,  ^way  fror 

And  it  starts  the  momo”  y 

at  my  JaJty  toe’  hooej 

^''^sfume  with  the  family  beats  i 

honest,  time  w  do^ 

about  n«wo  k  my 

Anderson.  W 

able  to  spend  m  focter  than  evl 

my  business  is  runmng  festeHba  ^ 

^n^^pr<;ons  son,  Ben,  si 


Connecting 
the  right 
people 


Find  out  why  industry  leaders  and  the  world’s 
leading  financial  institutions  choose  Nokia  security  systems. 


The  more  complex  your  business  becomes,  the 
more  you  need  secure  and  reliable  connections  to 
your  corporate  network.  When  you  combine  the 
world’s  best  VPN/Firewall  software  from  Check 
Point  Software  Technologies  and  Intrusion 
Protection  from  Internet  Security  Systems™ 
(ISS)  with  Nokia  platforms  and  management 
applications,  you  save  time  and  resources. 


^  ^ongwM'jihjiwi 
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gaining  flexibility  and  reliability.  Only  Nokia  takes 
a  complete  system  approach  to  network  integrity 
with  full  integration  of  best-of-breed  applications 
on  purpose-built  platforms  that  are  easy  to 
deploy,  operate  and  manage,  backed  by  First  Call  - 
Final  Resolution  global  support. 

To  spend  more  time  at  home,  visit 
www.nokia.com/get_a_life/americas 


NOKIA 

Connecting  People 


Flashpoint 


If  You  Can’t  Stand 


the  Heat,  Don’t 
Call  ’Em 


If  you’re  not  prepared  to  deal  with  the  conse¬ 
quences  of  bringing  in  federal  authorities, 
making  that  phone  call  can  be  a  bad 
business  move  By  David  H.  Holtzman 


HERE  WILL  COME  A  DAY  when  you  get  tagged  by  a  hacker.  But  once 
you  figure  out  how  it  happened  and  close  the  hole,  should  you  call  the  cops? 

Calling  in  the  authorities  is  a  hard  decision  to  make  because  it  could  result  in 
more  pain— both  business  and  personal.  If  you  don’t  notify  law  enforcement  and 
you’re  hacked  again,  you’ll  lose  credibility  with  upper  management.  There  can  be 
business  insurance  ramifications  for  not  filing  a  police  report,  and  of  course,  lack 
of  legal  involvement  means  that  the  culprit  will  never  get  prosecuted  in  a  crimi¬ 
nal  court. 

On  the  other  hand,  many  level-headed  executives  worry  that  investigators  wall 
freeze  systems  and  possibly  even  seize  mission-critical  equipment.  In  compli¬ 
cated  cases,  they  might  have  to. 

A  landmark  case  occurred  in  1990  when  the  Secret  Service  impounded  com¬ 
puter  equipment  and  data  owned  by  Steve  Jackson  Games  in  connection  wdth  an 
unrelated  investigation  involving  one  of  its  employees.  Collateral  business  dam¬ 
age  from  the  investigation  almost  forced  the  company  to  go  under.  Every  copy  of 
the  current  product  under  development  was  taken.  Some  files  were  given  back  in 
a  month,  but  data  was  destroyed.  The  hardware  itself  was  kept  for  four  months. 
The  company  sued  the  government,  and  was  awarded  $50,000  plus  legal  fees. 

Here  are  some  pitfalls  of  calling  in  the  authorities: 

■  Any  empowered  employee  (an  ambiguous  legal  term  that  can  cover  anyone 
from  a  systems  administrator  to  a  manager  or  executive)  can  grant  consent  for  a 


search  that  otherwise  couldn’t 
be  executed  without  a  warrant. 

■  Some  circumstances  permit 
unrelated  information  uncovered 
in  a  search  to  be  used  by  the 
government  as  evidence  of 
other  crimes. 

■  Your  company  will 
lose  all  control  over  the 
prosecution.  This  matters  if  it 
looks  like  an  inside  job. 

■  The  constitutional  test  for 
privacy  is  based  on  “reasonable 
expectation  of  privacy.”  When 
customer  information  enters 
third-party  hands,  its  legal 
protection  is  dimin¬ 
ished. 

By  the  way,  nothing 
that  I’ve  said  necessarily 
applies  to  state  and  local  law  enforcement.  The  training 
varies  enormously  by  locale,  so  I  would  discourage  calling 
in  the  police  under  any  but  the  simplest  cases  where  the 
motive  is  clearly  theft.  If  it’s  a  denial-of-service  attack, 
notify  CERT  (www.cert.org). 

Deciding  whether  to  call  in  the  authorities  is  a  business 
decision.  If  there  isn’t  a  clear  goal,  such  as  prosecution  of 
a  thief,  it  may  not  be  worth  the  risk.  No  one  can  guaran¬ 
tee  that  assets  won’t  be  taken.  The  Department  of  Justice’s 
guidelines  for  computer  seizure  (www.usdoj.gov)  should 
be  required  reading  for  CSOs.  It  explicitly  warns  that 
“...If  the  agents  cannot  learn  where  the  information  is 
stored  or  cannot  create  a  working  mirror  image  for  tech¬ 
nical  reasons,  they  may  have  no  choice  but  to  seize  the 
computer  and  remove  it.” 

The  moral  of  this  story  is,  if  you  don’t  need  to  call, 
don’t.  If  you  do  call,  be  prepared  to  cooperate.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david@globalpov.com. 


IfYou 
Decide  to 
Call  the 
Feds* 

The  following  steps 
will  help  protect 
business  continuity 
during  an  investigation 


1  Notify  the  general  counsel 
(GC)  verbally  and  have  him 
contact  the  authorities.  Put  noth¬ 
ing  in  writing  (or  in  an  e-mail)  at 
this  point.  Get  a  witness  to 
observe  your  preparations. 

2  Shut  down  all  network  and 
remote  access  to  the 
affected  machines. 


3  Back  up  all  critical  systems. 

Make  it  complete,  not  incre¬ 
mental. 

4  Make  image  copies  of  every 
relevant  file.  Burn  them 
onto  CDs.  Sign  and  date  one 
copy  and  give  it  to  your  GC. 

5  Do  the  same  for  related 
databases  including  RDB 


dumps,  Windows  registries  and 
Linux  log  files. 

6  Let  your  users  back  on  to 
the  network  and  resume 
business. 

7  Print  out  the  text  files.  Make 
an  inventory  of  the  software 
versions  that  you’re  using.  Mark 
the  papers  as  proprietary  and 


label  each  sheet  with  your  com¬ 
pany’s  name,  date  and  IP  mark¬ 
ings. 

8  Hand  over  the  CDs  and 
paper  to  the  investigators 
and  get  a  receipt.  Explain  what 
you  did.  Make  it  clear  that  the 
business  has  started  up  again. 

-D.H.  *The  author  is  not  a  lawyer 
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Our  award-winning  CIOs  share  ideas 
you  can  use  today,  as  they  tell  us 


What  Worle  Now 


Some  of  our  favorite  thought- leaders 
look  into  the  future,  and  predict 


What  Lies  Ahead 


Create  a  Cutting-Edge  Culture:  Being  innovative  is  more 
important— and  more  challenging— than  ever.  How  can  you 
be  resourceful  and  forward-thinking,  even  in  tough  times? 

Invent  New  Methods  of  Showing  Value:  You’re  under  more 


pressure  to  show  the  value  of  every  IT  dollar.  If  traditional  ROI  metrics  don’t  work 
in  your  case — make  up  your  own.  Two  of  our  winners  did.  Get  Fast  and  Flexible: 
Adapting  and  moving  quickly  on  opportunities  is  a  trait  of  truly  resourceful  orga¬ 
nizations.  Two  winners  turned  adversity  into  advantage,  developing  faster,  more 
flexible  processes.  Motivate  Employees  and  Boost  Morale:  When  the  economy 
enters  a  downward  spiral,  so  does  morale.  Our  winners  share  initiatives  that  help 
keep  their  most  important  resource  happy. 
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To  enroll  800.355.0246  www.cio.com/conferences 


Your  Hot 
Topics 


Gather  with  fellow 

attendees  to  discuss 

common  problems  and 

possible  solutions. 

■  Designing  for  maximum 
IT  cost  flexibility/agility 

■  Compliance  and  liability:  dealing  with  Sarbanes- 
Oxley  and  Patriot  Act  legislation 

■  Long-term  partnerships: 
negotiating  strong,  mutually 
beneficial  vendor  deals 

■  Bleeding-edge  tech:  lessons 
from  the  front  lines 

■  Ensuring  data  privacy  in  an 
access-hungry  environment 

■  The  CSC  in  you:  how  to  be  your 
own  security  watchdog 

■  Buildingthe  next  generation  of 
IT  leaders 

■  Offshore  outsourcing 

■  Navigating  the  landmines  of  mergers/acquisitions 

■  And  more! 


Solid 

Peer 

Advice 


Executive  Mindshare  Sessions 

Small  working  groups  of  CIOs 
explorethe  challenges  and  best 
practices  of  specific,  critical 
IT/business  topics. 


Networking  Opportunities 

Make  the  connections  with  other  OlOs  who  can  help 
you  today  and  tomorrow:  take  advantage  of  our  break¬ 
fast  and  lunch  roundtables,  receptions,  and  evening 
dinner  and  hospitalities. 
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Presenters 

CIO  100  Winners 

The  best-of-the-best.  Select 
CIO  100  Award  Winners 
share  best  practices  in  lead¬ 
ership  and  resourcefulness. 

Paul  Saffo 

Joins  us  again  as  Sympo¬ 
sium  moderator  and  talks 
about  why  he  thinks  we're  on 
the  verge  of  an  onslaught  of 
technological  innovation 
that  will  affect  every  corner 
of  business  and  society  in 
the  decades  ahead. 

W.  Brian  Arthur 

Citibank  Professor  of  the 
Santa  Fe  Institute  shares  his 
views  on  how  sub  industries 
such  as  genomics,  pro- 
teomics,  financial  engineer¬ 
ing,  nanotechnology  and  the 
like  are  being  born  out  of  IT. 

Howard  Rheingold 

Futurist  and  guru  of  digital 
culture  gives  us  his  observa¬ 
tions  on  the  “Smart  Mob’’ 
phenomenon. 

Abbie  Lundberg 

CIO  magazine’s  Editor  in 
Chief  hosts  a  panel  of  award¬ 
winning  CIOs.  They’ll  share 
how  they’ve  anticipated  the 
impact  on  their  organiza¬ 
tions  of  the  economic  and 
political  events  of  the  past 
two  years  and  how  they  lead 
in  an  age  of  extraordinary 
challenges. 


Leadership  and  Innovation  for  the  Resourceful  Enterprise 


Sponsored  by 

ingnmA 

GREAT  REUTIONSHIPS- 


Legendary  Reliability' 


<bmcsoftware 


Assuring  Business  Availability"" 


cigital 
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Fufrsu 
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Work  Smarter. 


redhat. 
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The  Power  of  Now' 


This  year’s  CIO  100  Awards 
Ceremony  is  proudly 
underwritten  by 

PeopleSoft. 


Presented  by 


The  Resource  for 
Information  Executives 


Cover  Story 


in  a  Three-Ring  Binder 


Longtime  CSO  Bob  Hayes  has  exhaustively 
documented  a  looming  menace:  reams  of  red  tape 
growing  in  the  shadows  of  9/11.  Is  security  soon  to 
become  a  highly  regulated  activity?  And  if  it  is,  are 
CSOs  ready  to  beat  a  path  out  of  the  woods? 

BY  SARAH  D.  SCALE! 


IN  THIS  STORY:  Learn 
from  a  peer  who  has 
spent  the  past  year 
studying  the  wave  of 
security  regulations  and 
guidelines  since  9/11 

■  Find  out  how  those 
policies  could  reshape 
the  security  industry 

■  Prepare  to  play  a  part 
in  tackling  these  issues 
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Bob  Hayes  is  tadding^diaos. 


Chaos,  in  this  case,  resides  in  a  set  of  three-ring 
hinders  that  the  former  security  director  of 
Georgia-Pacific  and  former  security  operations 
manager  for  3M  has  lugged  around  for 
months,  and  which  he  now  plunks  down  on  a 
table  in  a  standard-issue  conference  room 
north  of  Atlanta.  Inside  the  binders  are  hun¬ 
dreds  of  pages  from  dozens  of  legislative 
bodies,  regulatory  agencies  and  industry  con¬ 
sortia  around  the  world,  all  of  which  dictate 
what,  since  9/11,  companies  should  be  doing  to 
protect  themselves  against  terrorism— from 
monitoring  factory  ventilation  systems  to 
hardening  computer  networks  to  screening 
the  staff  who  drive  delivery  trucks. 

The  papers  are  neatly  punched,  indexed 
and  occasionally  underlined  with  red  pen. 
They  are  never  dog-eared  or  crumpled.  Hayes 
is  far  too  fastidious  for  that. 

Nevertheless,  it’s  a  futile  attempt  at  organ¬ 
ization.  In  fact,  as  I  sit  with  Hayes  at  one  of  the 
Fortune  500  companies  where  he’s  been  con¬ 
sulting  since  leaving  Georgia-Pacific  during  a 
restructuring  this  past  January,  I  get  the  sense 
that  in  his  quest  to  conquer  those  reams  of 
paper,  he  is  losing. 

“There’s  no  way  that  you  could  be  up  on  all 
this,”  says  Hayes,  52,  who  has  the  sturdy  but 
trim  build  of  the  Montana  Army  National 
Guard  enlistee  he  once  was  and  the  Rolex 
watch  and  black  sports  jacket  of  the  Southern 
businessman  he  now  is.  His  neatly  trimmed 
hair  seems  brown  or  gray  depending  on  the 
light,  just  as  his  demeanor  seems  to  oscillate 
between  that  of  a  confident  scholar  and  that  of 
a  confused  student,  depending  on  the  mo¬ 
ment.  He’s  a  scholar  in  that  he’s  spent  months 
studying  a  wave  of  9/ll-inspired  rules  and 
guidelines  that  suggest,  when  pieced  together. 


that  security  is  well  on  its  way  to  becoming  a 
fully  regulated  industry.  (This  despite  what 
the  Bush  administration  would  like  you  to 
believe:  that  market  forces,  more  or  less 
unaided,  will  compel  right  behavior.)  He’s  a 
confused  student  in  that  the  pages  in  his 
binders  are  teeming  with  legalese  and  poten¬ 
tial  contradictions  that  are  far  beyond  the 
grasp  of  any  one  person.  (After  all,  one  mega 
law  firm  has  put  more  than  50  attorneys  from 
17  disciplines  in  charge  of  trying  to  sort  out 
what  the  new  security  rules  mean  for  clients.) 

“When  you  start  putting  this  whole  picture 
together  of  how  complex  and  huge  this  secu¬ 
rity  issue  has  become,”  Hayes  says,  winding 
himself  up  even  as  he  tries  not  to  rise  off  the 
seat  of  his  chair,  “it’s  not  just  computer  secu¬ 
rity;  it’s  not  just  physical  security.  It  includes 
how  you  hire  people,  how  you  build  your 
warehouses.  That’s  the  story  we’re  trying  to 
tell:  the  magnitude  of  what’s  coming  down 
the  road.” 

Anyone  tempted  to  disagree  should  con¬ 
sider  Hayes’s  track  record.  In  1972,  he  was 
part  of  a  team  that  did  some  of  the  earliest 
research  into  what  causes  or  prevents  crowd 
violence,  as  police  in  Florida  tried  to  prevent 
the  Republican  and  Democratic  National 
Conventions  from  ending  in  the  police  riots 
that  marked  the  Democratic  National  Con¬ 
vention  of  1968.  Then,  15  years  later,  when 
he  was  the  head  of  security  for  3M,  Hayes 
became  one  of  the  first  practitioners  to  do 
anything  about  workplace  violence— years 
before  the  phrase  “workplace  violence”  was 
part  of  the  lexicon. 

“By  anybody’s  standards,  he  was  one  of  the 
pioneers  in  workplace  violence  prevention  for 
large  corporations,”  says  Park  Dietz,  the  re¬ 


nowned  criminal  psychologist  (think  the  Jef- 
Ifey  Dahmer  case)  who  is  himself  the  most  well- 
known  pioneer  in  that  industry.  “If  you  could  do 
a  fair  survey  of  the  heads  of  security  of  the 
Fortune  100,  Bob’s  reputation  would  rank 
extremely  high.  I  do  think  he  is  a  forward 
thinker,  and  if  he  sees  a  pattern  there,  he’s  right.” 

For  CSOs,  the  easy  way  out  of  the  pattern 
emerging  from  Hayes’s  binders  is  to  let  some¬ 
one  else  deal  with  the  problem.  But  the  way 
Hayes  sees  it,  this  is  a  make-or-break  oppor¬ 
tunity  for  the  profession.  “You  have  a  choice— 
you  can  either  be  part  of  this  and  influence  it, 
or  sit  back  and  ignore  it  and  let  people  who 
have  no  expertise  in  security  handle  it,”  he 
says.  “That’s  not  a  real  smart  move  because 
then  somebody  says.  Why  do  we  need  a  secu¬ 
rity  guy?” 

This  is  why.  Hayes  shuffles  through  his 
stack  of  binders,  finds  one  labeled  Regulatory 
Trends,  flips  it  open  and  starts  talking. 

The  R  Word 

“This,”  Hayes  says,  popping  open  the  binder 
rings  and  taking  out  a  stack  of  papers,  “is  a  list 
I  got  from  somewhere  of  all  the  laws  that  have 
been  passed  [or  revisited]  since  9/11.  I’m  really 
bummed  I  can’t  figure  out  where  I  got  this.  It 
was  a  long  time  before  I  really  stopped  and 
looked  at  it.”  He  pauses,  thumbing  through 
the  document,  which  is  about  15  pages  long,  a 
gray  blur  of  laws  and  proposals  about  espi¬ 
onage  and  funding  of  terrorists,  transporta¬ 
tion  safety  and  the  insurance  industry  and,  of 
course,  the  ubiquitous  USA  Patriot  Act— all 
legislative  efforts  with  the  underlying  goal  of 
improving  national  security. 

“I  started  flipping  through  here  and  said. 
There’s  a  lot  of  stulf  going  on:  in  the  United 
States;  in  the  United  Kingdom.  Then  I  saw 
this,”  he  says,  landing  on  a  page  halfway 
through  the  document,  flashing  a  Grinch  of  a 


HAVE  A  CHOICE— YOU  CAN  EITHER  BE  FART 
OF  THIS  PROCESS  AND  INFLUENCE  IT,  OR  SIT 
BACK  AND  IGNORE  IT  AND  LET  PEOPLE  WHO 
HAVE  NO  EXPERTISE  IN  SECURITY  HANDLE  IT.” 

-BOB  HAYES 
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grin  that  makes  him  look  10  years  younger 
and  showing  me  an  alphabetical  list  of  coun¬ 
tries  also  offering  security-focused  legislation. 
“Albania,  Bosnia,  Canada,  China.  You  get  the 
idea?  And  I  say,  ‘Uh-oh,  we’re  not  the  only 
ones.’  This  was  one  of  the  turning  points.” 

Hayes  snaps  the  document  back  into  the 
binder  and  starts  turning  more  pages,  from 
one  law  or  regulatory  body  to  the  ne.xt.  It’s 
not  just  the  dreaded  R  'worA— regulations— 
that  he’s  talking  about,  although  there  are 
plenty  of  those  on  the  state,  national  and  inter¬ 
national  level.  Take  the  section  on  the  U.S. 
Customs  Seiwice,  for  instance.  Customs,  which 
touches  every  company  that  imports  or 
exports  supplies  or  goods  to  or  from  the 
United  States,  used  to  be  primarily  concerned 
with  keeping  drugs,  illegal  aliens  and  coun¬ 
terfeit  products  out  of  the  country.  But  since 
9/11,  the  Customs  Service  has  changed  more 
than  its  name  (it’s  now  called  Customs  and 
Border  Protection)  and  its  position  within  the 
U.S.  bureaucracy  (it’s  now  part  of  the  Depart¬ 
ment  of  Homeland  Security). 

The  government’s  cry  for  homeland  defense 
has  given  Customs  vastly  expanded  powers, 
the  most  controversial  of  which  is  the  author¬ 
ity  to  declare  what’s  known  as  the  24-hour 
manifest  rule.  Before,  a  ship  crossing  the 
Atlantic  was  required  to  submit  a  list  of  its 
cargo  before  entering  a  U.S.  port.  As  of  last 
December,  carriers  headed  for  the  United 
States  must  submit  a  list  of  cargo  24  hours 
before  it’s  loaded  on  board.  “Compliance  with 
the  24-hour  rule  is  a  matter  of  National  Secu¬ 
rity,”  warns  a  stern  statement  at  the  Customs 
website,  threatening  to  fine  offenders  and 
keep  them  from  loading  their  vessels.  But 
complying  with  this  rule  is  no  small  task  for  a 
carrier’s  customers,  who  may  not  know  until 
the  last  minute  exactly  what  they  need  to  ship. 

If  that’s  the  stick,  then  this  is  the  carrot: 
Customs  Trade  Partnership  Against  Terror¬ 
ism,  or  C-TPAT.  This  voluntary  program  uses 
the  same  concept  as  the  “tinsted  traveler”  pro¬ 
gram  for  airlines.  Carriers  who  choose  to  par¬ 
ticipate  go  through  a  security  “validation” 
(Customs  is  careful  not  to  use  the  word  a  udit) 
to  prove  they  have  covered  every  aspect  of  sup¬ 
ply  chain  security,  from  sealing  containers  to 
installing  adequate  lighting  at  loading  docks 
to  giving  employees  incentives  for  paying 
attention  to  security.  Companies  that  obtain 


In  an  informal  poll,  we  asked  the  CSOs  of  several 
Fortune  500  companies  how  broad  an  impact  they 
thought  that  emerging  guidelines  and  regulations 
would  have  on  security  in  the  long  term.  Here’s  a 
sampling  of  what  they  said. 

The  Panoramic  “The  various  regula¬ 
tions  will  have  a  deep  and  wide-ranging  impact  on 
international  business  for  several  reasons.  New, 
unbudgeted  costs  will  affect  some  companies’  prof¬ 
itability  and,  depending  on  their  size,  perhaps  their 
survivability.  Partially  overlapping  or  completely 
diverse  requirements  from  different  agencies  will 
make  compliance  more  difficult  and  time- 
consuming.  For  example,  if  you’re  a  pharmaceutical 
company,  you  may  end  up  having  security  regula¬ 
tions  from  the  FDA,  DEA  and  Customs  that  are  in 
conflict  with  each  other.  Then  there  is  the  cultural 
impact.  Some  foreign  managers  may  view  these 
regulations  as  an  imposition  of  the  U.S.  will  on  their 
country,  and,  of  course,  that  won't  be  received  well.” 
(Asia-based  global  consumer  products  company) 

The  Px*a.gxna,tic  "We  are  already  start¬ 
ing  to  hear  rumblings  that  other  federal  agencies 
are  drafting  proposed  requirements,  so  we  certainly 
expect  to  see  additional  regulations  for  transporta¬ 
tion,  chemical  storage,  mailrooms  and  other  poten¬ 
tial  terrorist  targets  in  business.  If  there  were  to  be 
additional  terrorist  attacks,  we  would  expect  to  see 
this  process  ramp  up  very  quickly.  Corporate  secu¬ 
rity  departments  that  have  never  before  had  to 
work  with  government  regulations  and  regulators 
will  be  required  to  do  so.”  (U.S.-based  consumer 
products  company) 

The  Proud  "For  those  corporations  that 
didn’t  have  their  act  together,  it  could  have  a  signifi¬ 
cant  long-term  impact.  But  is  it  the  reverse— that 
the  government  and  those  entities  issuing  these 
standards  are  finally  trying  to  get  in  step  with  activi¬ 
ties  and  standards  that  we’ve  held  for  years?  That’s 
more  the  way  we’ve  experienced  it.  It’s  us  sort  of 
looking  backward  saying,  Come  on  boys,  keep  com¬ 
ing.”  (U.S.-based  technology  manufacturer) 

The  Pai'auoid  'Til  pass.  I’m  currently  at 
a  meeting  trying  to  determine  how  we  can  manage 
the  plethora  of  guidelines  and  standards  and  regu¬ 
lations  being  proposed,  and  I  wouldn’t  want  to 
antagonize  the  government.”  (U.S. -based  utilities 
company) 


the  validation  move  through  Customs  more 
quickly,  leaving  agents  free  to  focus  on  vessels 
that  are  more  likely  to  pose  security  risks. 

Hayes  says  that  the  security  director  of  the 
company  on  whose  leafy  grounds  we’re  meet¬ 
ing  has  gone  through  the  C-TPAT  validation 
process.  (As  a  condition  of  the  interview,  he 
asked  me  not  to  name  the  company  because 
he’s  there  as  a  consultant,  not  an  employee, 
and  because,  I  sense,  he  wants  to  make  it  clear 
that  this  is  his  project,  not  theirs.)  “It  took 
him  about  six  months,”  Hayes  says.  “It  was  a 
major  effort— and  it’s  one  of  hundreds  [of 
such  efforts].” 

Somebody  Said  to  Do 
Something 

Outside  in  the  company  parking  lot,  windblown 
trees  shake  a  fine  yellow  dusting  of  pollen  over 
asphalt  and  cars.  A  few  stragglers  return  from 
lunch,  and  the  April  afternoon  clouds  are  too 
threatening  to  tempt  anyone  to  sneak  out  for  an 
early  tee  time.  Inside,  Hayes  is  just  getting 
warmed  up.  He  takes  a  drink  of  water  and 
opens  a  binder  with  a  whole  other  set  of  guide¬ 
lines,  these  with  a  much  murkier  reach:  presi¬ 
dential  directives  and  executive  orders,  which 
the  president  uses  to  manage  the  executive 
branch,  government  agencies  and,  by  exten¬ 
sion,  any  company  with  government  contracts. 

Like  most  people,  Hayes  had  never  paid 
much  attention  to  those  kinds  of  orders.  But 
one  day,  a  few  weeks  after  9/11,  while  he  was 
still  with  Georgia-Pacific,  he  got  a  call  from 
one  of  his  colleagues  in  the  International 
Security  Management  Association  (ISMA) 
who  wanted  to  know  what  Hayes  was  doing 
about  Executive  Order  13224. 

“I  said,  ‘What’s  that?”’  Hayes  recalls.  “And 
he  said,  ‘It’s  about  not  doing  business  with 
terrorists.  We  have  lots  of  government  con¬ 
tracts  and  thousands  and  thousands  of  cus¬ 
tomers.  How  are  you  going  to  check  your  list?”’ 

At  the  time,  Hayes  had  no  idea  what  “list” 
his  peer  was  talking  about.  Now,  he  thumbs 
through  the  binder  looking  for  the  right  group 
of  documents.  “This  is  the  first  one  that  came 
out,”  he  finally  says,  showing  me  a  list  of 
names  of  suspected  terrorists.  Osama  bin 
Laden  is  number  12  or  so.  “It  started  as  a  list 
of  75  people  at  wivw.treaswy.gov.  These  were 
groups  [the  government  was]  finding  links 
to  very  early  on.” 
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Hayes  started  looking  for  the  names  and 
organizations  on  the  list  in  various  databases 
at  Georgia-Pacific,  both  to  comply  with  the 
order  and  to  ascertain,  for  security  reasons, 
that  no  one  identified  as  a  terrorist  was 
working  at  Georgia-Pacific’s  more  than  600 
locations.  Hayes  made  sure  the  government’s 
list  got  checked  against  payroll.  And  against 
the  visitor  logs.  And  against  the  files  for 
Georgia-Pacific’s  temporary  agency,  for  its 
vendors,  for  its  contractors,  for  everyone. 

Then  the  list  changed. 

“Every  day  the  list  would  just  be  bigger,”  he 
remembers.  Eventually,  it  grew  to  thousands 
of  names.  “It  would  come  out  with  a  new  date 
on  the  bottom,  but  you’d  have  no  idea  who 
they’d  added  to  it.”  That  meant  that  every 
name  on  the  list— not  just  the  new  ones— had 
to  be  checked.  (The  government  has  since 
streamlined  the  process  of  adding  names  to 
the  ever-growing  list.) 


about  the  report  that  was  allegedly  created  by 
the  presidential  task  force  on  citizen  pre¬ 
paredness.  The  White  House  press  office 
didn’t  know;  someone  there  referred  me  to 
the  Department  of  Homeland  Security,  which 
referred  me  to  the  Federal  Emergency  Man¬ 
agement  Agency,  which  referred  me  back  to 
the  White  House.  Later,  when  I  told  Hayes 
this,  he  wasn’t  surprised.  He  said  that  was 
exactly  his  point. 

“I  have  a  headache  every  time  I  get  into 
this.  It’s  so  complex,  and  there  are  so  many 
people  working  on  it,  and  obviously  nobody  is 
talking  to  anybody  else,”  he  says.  The  job  of 
making  sense  of  the  mess  would,  it  seems,  fall 
squarely  on  the  shoulders  of  the  CSO.  But, 
like  most  CSOs,  Hayes  doesn’t  have  a  law 
degree.  He  has  no  background  in  picking 
apart  executive  orders  and  figuring  out  what 
they  mean  for  whom.  He  doesn’t  know  the 
first  thing  about  following  the  complex 


A  Ziittle  ZIelp  (or  Hindrance) 
fix>m  Your  EViends 

The  answer  to  the  chaos,  it  might  seem,  is  for 
industry  gi’oups  to  step  in  and  help  their  mem¬ 
bers  sort  out  the  new  regulations  and  guide¬ 
lines.  In  fact,  that’s  what  industry  groups  are 
trying  to  do.  Hayes  has  a  binder  full  of  thick 
printouts  of  security  guidelines  being  devel¬ 
oped  and  issued  by  organizations  such  as  the 
American  Trucking  Association,  the  National 
Food  Processors  Association,  the  American 
Bus  Association,  the  Cosmetic  Processors  and 
Transporters  Association,  the  Freight  Trans¬ 
portation  Security  Consortium  and— the 
thickest  section  of  all— the  American  Chemi¬ 
cal  Council,  which  has  been  frantically  devel¬ 
oping  security  guidelines  in  an  attempt  to 
stave  off  controversial  new  regulations  Con¬ 
gress  is  considering. 

“It’s  scary  having  this  degree  of  oversight 
with  this  many  untrained  cooks  in  the 


QUESTION  IS,  WILL  CORPORATE  SECURITY 
BE  IN  A  POSITION  TO  RESPOND  OR  ASSIST 
OR,  THEORETICALLY,  LEAD?  I’M  JUST  NOT 
SURE  SECURITY  IS  READY-”  -bob  hayes 


And  Executive  Order  13224  was  only  the 
beginning. 

President  Bush  fired  off  more  orders  in 
rapid  succession:  Executive  Order  13231  on 
critical  infrastructure  protection.  Executive 
Order  13234  creating  a  presidential  task  force 
on  citizen  preparedness.  Presidential  Directive 
2  on  combating  terrorism  through  immigra¬ 
tion  policies. 

All  of  them,  in  one  way  or  another,  involve 
security.  Some  laid  the  groundwork  for  more 
far-reaching  rules.  In  May,  for  instance,  the 
U.S.  Treasury  Department  finalized  the 
Patriot  Act  regulations  that,  among  other 
things,  require  financial  institutions  to  make 
sure  that  new  customers  don’t  appear  on  the 
suspected  terrorist  watch  list.  What  became  of 
some  of  the  other  provisions  is,  well,  anyone’s 
guess. 

When  I  got  back  from  meeting  with  Hayes 
in  Atlanta,  I  called  the  White  House  to  ask 


process  of  how  a  bill  becomes  a  law  becomes 
a  set  of  regulations  and,  in  time,  becomes  a 
fine  for  noncompliance.  He  is  trying  to  chart 
the  dimensions  of  a  dense  forest  at  a  time 
when,  he  fears,  everyone  else  is  looking  only  at 
the  trees. 

“All  the  functions  in  a  company— shipping, 
distribution,  product  safety,  environmental, 
food  service,  everyone— are  going  to  get  some 
notice  of  individual  things  happening,”  Hayes 
says.  Someone  needs  to  coordinate  this  vision 
and  oversee  the  whole  onerous  load  of  com¬ 
pliance.  It  could  be  the  legal  department.  But 
the  chief  security  officer,  theoretically,  is  the 
one  person  in  the  organization  who  best 
understands  how  to  actually  improve  security 
in  a  holistic  way. 

“The  question  is.  Will  corporate  security  be 
in  a  position  to  respond  or  assist  or,  theoreti¬ 
cally,  lead?”  he  asks.  “I’m  just  not  sure  security 
is  ready.” 


kitchen,”  Hayes  says,  in  a  typical  turn  of 
phrase,  sitting  back  in  his  chair  and  taking 
off  the  thin  metal  eyeglasses  that  he  likes  to 
use  as  a  pointer.  “Here’s  the  problem  with  the 
associations,”  he  says,  bobbing  the  eyeglasses 
up  and  down.  “It’s  a  matter  of  who  does  it, 
what’s  their  experience,  and  is  it  relevant?  But 
it  goes  beyond  that.  You  can’t  have  one  stan¬ 
dard  or  guideline  that  fits  everybody.  So  you 
have  a  problem,  from  the  beginning,  of  how  do 
you  write  something  for  a  tiny  little  chemical 
plant  [that  also  applies  to]  DuPont?” 

Case  in  point:  The  building  that  houses 
Georgia-Pacific’s  headquarters  is  managed  by 
Taylor  &  Mathis,  one  of  the  largest  properly’ 
management  companies  in  the  South. 
Georgia-Pacific  is  the  largest  tenant  and  a  part- 
owner  of  the  building,  but  there  are  10  to  20 
other  tenant  companies  and  hundreds  of  other 
tenant  employees.  Taylor  &  Mathis  is  likely  to 
follow  whatever  secvrrity  guidelines  the  Build- 
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THE  AMOUNT  OF  MONEY  THE  AMERICAN 
INSTITUTE  OF  CHEMICAL  ENGINEERS  IS 
CHARGING  PER  HEAD  FOR  A  TRAINING 
COURSE  ON  HOW  TO  IMPLEMENT  ITS 
SECURITY  GUIDELINES. 


ing  Owners  and  Managers  Association 
(BOMA)  releases.  But  what  if  BOMA  decides 
that  buildings  must  be  evacuated  whenever 
there’s  a  bomb  threat?  From  Hayes’s  perspec¬ 
tive,  that  just  wouldn’t  make  sense.  “For  me  to 
push  3,000  people  out  of  that  building  is  a 
two-hour  exercise,  and  bombers  never  give  you 
two  hours  of  notice,”  he  says,  noting  that  some¬ 
thing  like  99  percent  of  bombs  involve  no 
threats  and  99  percent  of  threats  involve  no 
bombs.  “The  property  managers  had  never 
even  timed  it  to  know  what  their  throughput 
was.  They  had  no  idea  what  it  would  take  to 
empty  that  building.  Now,  you’re  in  conflict 
with  your  own  landlord.” 

Even  more  vexing  than  the  underlying  wis¬ 
dom  of  any  one  set  of  guidelines,  however,  is 
the  fact  that  large  companies  don’t  necessar¬ 
ily  fall  neatly  into  a  single  industry.  Georgia- 
Pacific,  for  instance,  is  known  for  its  paper 
goods.  But  it’s  also  a  chemical  company,  a 
transportation  company,  a  distribution  com¬ 
pany,  and  even— if  you  count  the  fact  that  its 
products  are  used  to  wrap  hamburgers  and 
wipe  ketchup  off  fingers  at  McDonald’s— a 
food  industry  packaging  company. 

“You  don’t  just  pick  one  industry,”  Hayes 
says.  “And  if  you’re  not  going  to  use  [a  set  of 
industry  guidelines  that  might  apply],  you’d 
better  have  some  pretty  good  reasons  why.” 

A  New  Gold  Rush? 

If  you  haven’t  guessed  by  now,  this  particular 
CSO  headache  is  likely  to  become  someone 
else’s  bonanza.  The  American  Institute  of 
Chemical  Engineers  is  charging  $2,995  ahead 
for  a  training  course  on  how  to  implement  its 
security  guidelines.  Vendors  everywhere  are 
touting  software  that  will  help  companies 
comply  with  new  regulations,  from  big  Patriot 
Act  packages  down  to  payment-processing 
modules  that  block  fimding  to  individuals  and 


organizations  on  the  ever-growing  list  associ¬ 
ated  with  Executive  Order  13224.  But  per¬ 
haps  the  biggest  pan  in  the  stream  belongs  to 
Baker  &  McKenzie,  one  of  the  world’s  largest 
law  firms,  which  a  few  months  ago  announced 
a  U.S.  Homeland  Security  Practice  that  brings 
together  those  aforementioned  50  attorneys 
from  17  disciplines. 

“We  started  to  see  individual  questions 
coming  up  that  all  had  this  underlying  theme 
of  security  related  to  9/11,”  says  Teresa  A. 
Gleason,  a  partner  in  the  firm’s  international 
trade  group,  who  is  coordinating  the  new 
practice.  “The  intent  is  to  recognize  that  there 
is  a  common  theme  cutting  across  all  disci¬ 
plines  of  the  law:  security  and  antiterrorism- 
related  issues.” 

Gleason  envisions  two  kinds  of  clients: 
those  who  have  one  or  two  questions  about  a 
particular  issue  that  cuts  across  industries  and 
areas  of  the  law,  and  those— ka-ching!— who 
want  to  figure  out  what  everything  combined 
means  for  their  companies. 

“It  could  be  a  lawyer  in  the  company.  It 
could  be  a  security  officer,  like  the  people  who 
read  your  magazine,”  she  tells  me  from  her 
office  in  Washington,  D.C.  “We’re  still  a  new 
group,  and  most  companies  are  still  dealing 
with  [the  new  laws]  when  a  particular  issue 
arises  rather  than  looking  at  it  from  a  more 
comprehensive  viewpoint,  but  I  think  that  will 
change.  I  think  there’s  a  movement  toward 
looking  at  it  in  a  more  comprehensive  way.” 

It’s  one  thing  for  someone  like  Bob  Hayes  to 
take  this  on  as  a  pet  study— even  if  it  has  con¬ 
sumed  15  percent  or  20  percent  of  his  time  in 
the  past  year.  It’s  another  thing  entirely  for  a 
law  firm  like  Baker  &  McKenzie  to  bet  so  many 
resources  on  the  premise  that  many  of  you,  sur¬ 
rounded  by  paperwork  in  conference  rooms 
across  the  countiy,  will  first  pull  out  what’s  left 
of  your  hair,  and  then  give  up  and  call  an  expert. 


Hayes,  for  one,  has  ideas  for  how  CSOs 
could  handle  all  this,  ideas  that  he  hopes  to 
implement  at  whatever  company  offers  him 
his  next  CSO  gig.  Maybe,  he  wonders,  the 
answer  is  a  RACI  matrix  with  all  the  regula¬ 
tions  down  one  side,  and  columns  CSOs  can 
fill  in  clarifying  which  part  of  the  business  is 
“responsible,”  “accountable,”  “consulting”  or 
“implementing”  for  a  particular  area  of  the 
law.  (For  a  downloadable  RACI  worksheet 
that  you  can  use  in  your  own  organization,  go 
to  www.csoonline.com/printlinks.)  But  that’s 
just  an  idea.  For  now,  he  thinks,  it’s  enough  for 
him  to  start  compiling  the  list  of  everything 
that’s  out  there  to  make  sure  his  peers  know 
about  it. 

“It  wasn’t  that  I  started  out  one  day  and 
said.  There’s  all  this  stuff— I  think  I’ll  research 
it  and  put  it  together,”  Hayes  says.  “In  the  past 
few  months,  it’s  become  evident  that  every¬ 
body  in  the  world  is  now  weighing  in  on  secu¬ 
rity.  You’ve  got  more  regulation  or  direction  in 
security  in  the  past  three  years  than  probably 
in  the  previous  50  years.  Clearly,  the  magni¬ 
tude  of  what’s  happening  has  surprised  me.” 
He  offers  me  a  soda  and  some  pretzels,  the 
only  way  he  can  think  to  stave  off  the  migraine 
he  knows  he’s  spreading.  ‘You’re  going  to  give 
a  bunch  of  people  a  headache  when  you  pub¬ 
lish  this  article,”  he  says.  “Do  I  make  my  case? 
The  landscape  has  changed.”  ■ 

Senior  Writer  Sarah  D.  Scaiet  can  be  reached  via  e-mail 
at  sscalet@exo.com. 

Regulation-Management  Work  Sheet  j 

For  access  to  an  interactive  work  sheet  and  other  infor¬ 
mation  that  will  help  you  manage  your  enterprise’s 
security-related  regulatory  compliance  issues,  visit 
CSOonline’s  LEGISLATION  &  POLICY  RESEARCH 
CENTER.  It's  our  online  version  of  Bob  Hayes's  three- 
ring  binders,  www.csoonline.com/legislation 
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Some  information  assets  on  your  network  are  more  valuable  than  others.  So  how  can  you  protect  your 
most  important  assets  from  the  most  critical  threats?  Introducing  Foundstone  Enterprise  ”  ~ 
the  first  enterprise-level  software  solution  that  reaches  into  every  corner  of  your  network  to 
discover  all  your  assets,  accurately  identify  threats  and  vulnerabilities,  and  decisively  eliminate  them. 
Foundstone  software  and  solutions  are  already  protecting  the  mission-critical  assets  of  many  of  the 
world's  leading  enterprises  and  government  agencies.  Find  out  how  to  get  the  most  formidable 
protection  for  a  finite  budget.  Call  1-877-91-FOUND.  Or  go  to  www.foundstone.com/cso1 
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In  the  months  following 
September  11,  when 
security  was  intensified  at 
airports,  at  government 
sites  and  in  large  cities, 
prescriptions  for  antianxiety 
medication  climbed  23 
percent  in  The  Big  Apple. 
Does  your  security  strategy 
put  your  employees  in  a 
New  York  state  of  mind? 

By  Daintry  Duffy 


IN  THIS  STORY:  Employees  want  to  feel  safe, 
but  some  security  measures  will  only  serve  to 
make  them  feel  more  anxious  ■  Consider  the 
psychological  impact  that  your  company's 
security  strategies  will  really  have  on  its  people 
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Psychology  of  Security 


e  are  rapidly  devolving  into  a  civilization  of  nervous  nellies. 

All  it  took  was  a  smudge  of  white  powder  on  an  elevator  button  recently  to  prompt 
a  full  -scale  evacuation  of  a  building  in  Delaware.  The  substance  was  later  identified 
as  sugar  from  a  powdered  doughnut.  As  a  nation,  we’ve  pinned  our  hopes  for  future 
sur\ival  on  the  frenzied  acquisition  of  duct  tape  and  plastic  sheeting.  In  truth,  we’ve 


probably  all  stored  up  enough  canned  tuna  and  baked  beans  so 
that,  if  the  worst  ever  happens,  we  won’t  go  down  without  a  good 
case  of  scurvy. 

Even  when  the  warnings  seem  reasonable  enough,  rationality 
often  flies  out  the  window— security  in  all  its  visual  manifestations 
reminds  us  of  just  how  vulnerable  we  are.  That’s  why  managing 
a  sound  security  program  means  so  much  more  than  amassing  a 
cadre  of  guards,  metal  detectors,  ID  badges  and  computer  tech¬ 
nologies.  On  the  contrary,  introducing  closed-circuit  cameras 
into  the  workplace  is  something  that  could  be  interpreted  by 
employees  as  a  sign  of  concern  for  their  safety— or  a  suggestion 
of  corporate  mistrust.  Metal  detectors  in  an  office  lobby  may 
offer  reassurance  in  a  high-risk  location— or  they  may  create 
anxiety  for  those  entering  the  premises. 

“What  to  a  CSO  is  an  impersonal  protective  measure,  to  most 
employees  represents  an  emotional  message,”  says  Ken  Siegel,  a 
management  psychologist  and  president  of  The  Impact  Group. 
“There’s  no  such  thing  as  an  antiseptic  intervention.” 

To  understand  the  psychological  reactions  that  employees  can 
have  to  security  measures,  CSOs  will  need  to  become  effective 
communicators  and  strategists.  We  talked  to  psychologists  and 
security  experts  about  various  psychological  reactions  to  security 
and  the  reasons  behind  them.  Here  are  some  techniques  that 
psychologically  savvy  CSOs  can  use  to  “head-shrink”  their  secu¬ 
rity  style  for  success. 


Maurer,  associate  managing  director  of  the  Security  Services 
Group  for  consultancy  Kroll,  suggesting  that  it’s  a  rich  area  to 
mine  for  improvements  in  security  planning  and  practice. 

To  understand  how  employees  feel  about  security,  CSOs  must 
first  accept  that  users’  enthusiasm  for  security  measures  will 
wax  and  wane  drastically  over  time.  During  periods  of  great  anx¬ 
iety,  their  natural  reaction  will  be  to  say.  I’ll  do  anything  you  want, 
just  keep  me  safe.  In  the  airports  following  9/11,  for  instance,  the 
tolerance  was  fairly  high  for  bag  searches,  long  lines  and  national 
guardsmen  with  M-l6s  casually  slung  over  their  shoulders.  But 
people  can’t  sustain  that  level  of  anxiety  indefinitely,  says 
Dr.  Robin  Dea,  chairman  of  the  chiefs  of  psychiatry  at  Kaiser  Per- 
manente  in  northern  California.  She  points  out  that  once  people 
become  accustomed  to  the  new  level  of  risk,  they  start  to  ques¬ 
tion  whether  the  security  measures  really  make  a  difference. 
“Suddenly  that  national  guardsman  starts  to  look  more  like  a  22- 
year-old  kid  with  45  minutes  of  training  with  an  M-16,”  Dea 
says.  It  just  doesn’t  create  quite  the  same  aura  of  safety. 

People  will  also  respond  to  the  same  security  measures  in  dif¬ 
ferent  ways,  says  Phill  Banks,  a  former  Canadian  Mountie  and 
current  head  of  Deloitte  &  Touche’s  security  management  group. 
“There’s  always  a  balance,”  he  says.  “Some  see  the  need  to  pres¬ 
ent  an  ID  card  as  a  measure  of  safety;  others  see  it  as  just  another 
manifestation  of  Big  Brother.” 


Perhaps  studying  psychological  reactions  to  security 
might  strike  some  CSOs  as  a  colossal  waste  of  time.  After  all,  how 
interesting  can  it  be  to  get  inside  the  minds  of  people  who  time 
and  again  choose  their  own  last  name  as  a  password?  Neverthe¬ 
less,  80  percent  of  security  is  psychology  driven,  insists  Rich 

Because  security  is 
80  percent  psychology  driven, 
it  is  a  rich  area  to  mine  for 
improvements  in  security 
planning  and  practice. 


38  www.csoonline.com  July  2003 


■  ;■  ■■  ...  ■''  :'■■  ■.■  '  ■■■o'- 

■..■■:  -..  ,  .  .  '  '  ; 

.■  ,. ' 

'■  ■  ■  /  ■'■  X'"  ■■i' '■'■'■'■'V'  i;.v‘ '■■  ■- *  V-’.'i'' ■ 

The  Threat  Level  Is  Elevated!  | 
The  Threat  Level  Is  Elevated! 


IN  HIS  treatise  on  the  psychol¬ 
ogy  of  terrorist  alarms,  Philip  G. 
Zimbardo,  a  professor  of  psy¬ 
chology  at  Stanford  University, 
outlines  \what  he  calls  the  “Paul 
Revere  paradigm  for  successful 
dissemination  of  public  alarms." 
He  bases  his  theory  on  four  rea¬ 
sons  for  the  success  of  Revere’s 
famous  ride  to  alert  the  colonials 
of  the  British  approach. 

■  Revere  was  known  to  be  a 
credible  communicator. 

■  His  alarm  was  focused  on  a 
specific  event. 

■  It  was  designed  to  spur  citi¬ 
zens  to  act. 

■  it  called  for  a  concrete  set  of 


actions  in  response. 

Zimbardo  adds  that  contem¬ 
porary  psychological  research 
has  supported  this  theory  by 
finding  that  such  alarms  should 
arouse  only  a  moderate  level  of 
motivation.  “Too  low  doesn't 
energize  action,  and  too  high 
creates  emotional  overload  and 
competing,  distracting  behav¬ 
iors,”  he  says. 

Zimbardo’s  paradigm 
explains  why  the  national  threat 
levels  have  created  so  much 
confusion.  The  color-coded 
threat  scale  was  designed  to 
signal  activity  to  the  military, 
the  police  and  other  protective 


services— but  not  to  the  public. 
So  when  a  new  threat  level  is 
announced,  the  public  is 
alarmed  but  has  nothing  to  do 
in  response. 

Zimbardo  notes  that  after  the 
CSO  issues  an  alarm,  he  must 
remember  to  debrief  employees 
so  that  any  misinformation  can 
be  corrected  and  to  reinforce 
the  value  of  people’s  efforts. 
That  is  particularly  important 
when  a  threat  doesn’t  material¬ 
ize.  “Some  reputable  authority 
must  provide  an  explanation  of 
why  and  then  eventually  lower 
or  remove  the  threat  alert,” 
Zimbardo  says.  -D.D. 


The  recent  attention  to  security  has  even 
spawned  its  own  new  psychological  disor¬ 
der-called  Security  Obsession  Syndrome, 
or,  appropriately  enough,  SOS.  Sufferers  of 
SOS  are  easy  to  identify:  They  exhibit  an 
extreme  preoccupation  with  personal  safety, 
they  constantly  evaluate  the  performance 
of  security  personnel,  and  they  fixate  on 
potentially  suspicious  people  on  airplanes  or 
in  public  places.  “These  people  are  obses¬ 
sive,”  says  professor  Cary  Cooper,  a  behav¬ 
ioral  psychologist  at  the  University  of 
Manchester  Institute  of  Science  and  Tech¬ 
nology.  “They  go  overboard  interpreting  ver¬ 
bal  and  behavioral  cues  that  take  them  way 
beyond  reality.”  It’s  an  anxiety  disorder  that 
has  always  existed  in  a  small  percentage  of 
the  population,  but  according  to  Cooper,  it 
has  increased  dramatically— up  from  about 
1  percent  to  5  percent  of  the  population  in 
the  past  two  years. 

In  the  workplace,  as  in  society,  security 
threats  are  not  static.  The  risk  level— 
whether  from  an  office  worker  stealing 
laptops  or  from  the  proximity  of  a  facility  to  a  metropolitan 
area— changes  over  time.  An  escalation  in  security  might  require 
employees  to  report  all  unfamiliar  persons  in  the  office  or  take 
extra  precautions  in  locking  up  corporate  assets  and  their  own 
valuables.  If  after  several  weeks  the  threat  doesn’t  materialize  or 
the  perpetrator  is  caught,  the  CSO  should  follow  up  by  commu¬ 
nicating  a  reduction  in  the  level  of  risk  while  reinforcing  the  idea 
that  certain  best  practices  behaviors  are  always  a  good  idea. 
Employees  gain  confidence  in  the  corporate  security  program 
when  they  see  the  security  level  change  in  response  to  circum¬ 
stances,  because  it  shows  that  the  company  is  paying  attention. 

Psychologically  Savvy  Security 

How  do  you  strike  a  balance  between  security  measures  that  act 
as  a  deterrent  to  the  criminal  element  but  make  employees  fear¬ 
ful  and  uneasy?  “There  is  a  certain  level  of  physical  deterrence  that 
is  desirable,  that  says  this  site  is  protected,”  says  Martha  Droge, 
a  landscape  architect  and  urban  planner  with  Ayers/Saint/Gross. 
“However  any  organized  [criminal]  group  will  do  research,  and 
even  if  security  is  subtle,  they  will  detect  it.” 

One  psychologically  savvy  approach  is  community  policing— 
a  practice  that  law  enforcement  has  found  to  be  successful.  With 
the  guidance  of  police  departments,  community  policing  encour¬ 
ages  neighbors  to  keep  an  eye  on  each  other’s  houses  and  prop¬ 
erties  and  report  any  anomalies  to  the  authorities.  “The  best 
protection  is  community,”  says  Richard  Parson,  psychologist  and 
president  of  the  Western  Behavioral  Sciences  Institute.  “People 
can  be  formed  into  a  community  that  cares  about  each  other 
and,  as  a  byproduct,  notices  when  something  is  wrong.” 


However,  the  fastest  way  to  lose  employee  cooperation  is  to  set 
the  security  bar  either  too  low  or  too  high.  CSOs  will  find  that 
most  employees  pay  close  attention  to  security  changes.  They 
parse  communications  from  the  security  group  looking  for  signs 
that  something  may  affect  their  physical  safety.  As  a  result,  CSOs 
need  to  make  sure  that  the  security  they  employ  is  appropriate  to 
the  level  of  risk. 

They  also  need  to  ensure  that  security  measures,  once  put  in 
place,  are  well  maintained.  Studies  by  social  psychologists  show 
that  if  a  window  in  a  building  is  broken  and  remains  unrepaired, 
the  rest  of  the  windows  will  soon  be  broken.  That  one  broken  win¬ 
dow  serves  both  as  an  invitation  to  hooliganism  and  a  message 
that  no  one  is  paying  attention.  The  same  holds  true  for  corpo¬ 
rate  security  measures.  One  sidestepped  security  measure  and 
respect  for  the  system  will  quickly  erode.  “When  you  see  that 
somebody’s  propped  a  garbage  can  against  a  magnetic  door  or 
that  the  video  camera  has  been  broken  for  weeks,  then  it  defeats 
the  whole  purpose,”  says  Kaiser  Permanente’s  Dea.  “The  trust 
starts  to  fade  that  you  are  serious  about  security— or  that  security 
was  ever  there  in  the  first  place.” 

CSOs  should  feel  like  they  are  fear-mongering  when  they  talk 
to  employees  about  scary  things.  The  CSO  is  probably  the  clos¬ 
est  thing  to  a  security  expert  in  most  people’s  daily  lives,  he  can 
decipher  what  all  the  security  news  on  a  corporate,  local  and 
national  level  means  for  employees  in  their  work  and  family  lives. 

“If  people  have  a  plan  in  their  minds,  they’re  less  anxious,”  says 
Dr.  Robert  Butterworth,  a  psychologist  with  International 
Trauma  Associates. 

In  a  study  titled  “Effects  of  Fear  and  Anger  on  Perceived  Risks 
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of  Terrorism,”  conducted  shortly  after  Sept.  11,  Baruch  Fischhoff, 
professor  of  public  policy  and  social  and  decision  sciences  at 
Carnegie  Mellon  University,  tracked  respondents’  feelings  about 
different  policy  measures  that  the  government  could  take  in 
response  to  events.  His  study  concluded  that  the  government 
should  provide  people  with  honest,  accurate  information,  even  if 
it  worries  them.  “People  want  to  be  treated  as 
adults.  They  want  you  to  level  vHth 
them  even  if  the  truth  is  uncom¬ 
fortable,”  says  Fischhoff. 

In  order  to  get  good  feed¬ 
s'  back  from  employees  about 
security,  CSOs  have  to  give 
good  information,  thereby 
creating  a  trusting  rela¬ 
tionship.  But  that’s  one 
place  the  typical  Joe  Fri¬ 
day  stoicism  of  the  secu¬ 
rity  team  can  be  a  barrier. 
“These  guys  are  not  known 
for  their  interpersonal  ala¬ 
crity,”  says  The  Impact 
Group’s  Siegel.  “Security 
sometimes  operates  like  a 
quasiparamilitary  organi¬ 
zation,  and  they  see  them¬ 
selves  as  detached  from  the 
businesspeople  and  the 
employees  they  are  sup¬ 
porting.” 

Now  that  security  is  a 
front-burner  issue,  it’s  time 
to  take  advantage  of 
employee  interest  and  cul¬ 
tivate  it.  Community-build¬ 
ing  can  be  achieved  in  the 
workplace  by  making 
employees  a  part  of  the 
security  initiative,  giving 
them  specific  tasks  when 
security  measures  are 
heightened.  Perhaps  CSOs 
could  even  offer  employees  the  opportunity  to  beta  test  security 
measures  before  they  are  enacted.  “We’re  in  a  world  now  where 
we  don’t  want  to  sit  and  wait  and  respond  to  what  happens,” 
says  Dr.  Gary  M.  Jackson,  a  former  research  psychologist  with  the 
Secret  Seiwice  and  current  president  and  CEO  of  Psynapse  Tech¬ 
nologies.  “We  want  people  to  be  concerned  and  aware,  and  we 
want  them  to  report  things  that  seem  out  of  place.  And  it  turns 
out  that  people  want  to  do  it.  That  way  they  don’t  feel  like  the 
helpless  victim.  It  gives  them  something  to  do.” 

CSOs  can  also  generate  trust  and  goodwill  by  acknowledging 
that  security  at  home  and  in  the  workplace  are  no  longer  two  sep¬ 


that  cares  about 
each  other  and, 
as  abyproduct, 
notices  when 
something  is 
wrong.” 

-RICHARD  PARSON,  PRESIDENT, 
WESTERN  BEHAVIORAL 
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arate  issues.  “I  think  that  [security  organizations]  still  have  the 
mentality  of  work  versus  home,  but  terrorism  blurs  all  that,”  says 
Butterworth.  “The  same  hazards  are  faced  by  people  on  a  business 
trip,  in  their  offices  and  at  their  homes.  What  we  do  in  terms  of 
preparation  has  to  be  reevaluated.”  (See  “Avoiding  the  Road  to 
Perdition”  at  www. csoonline.com/printlinks.) 

In  times  of  crisis,  managers  need  to  have  different  expectations 
for  employee  behavior  and  productivity.  Employees  often  are 
less  productive,  work  shorter  days  and  take  longer  lunches  as  a 
coping  mechanism.  “Smart  employers  know  that  when  some¬ 
thing  acute  happens,  productivity  goes  down  for  three  or  four 
days,”  says  Dea.  She  suggests  that  CSOs  use  that  as  an  opportu¬ 
nity  to  get  people  together  to  discuss  their  fears. 

Without  alarming  employees,  CSOs  should  communicate  with 
them  and  do  some  planning  around  what  would  happen  if  a 
local  or  widespread  security  crisis  caused  people  to  be  stuck  at 
work.  What  kinds  of  services  would  the  company  be  able  to  pro¬ 
vide  for  them  on  a  temporary  basis?  Many  security  departments 
already  give  employees  guidance  on  maintaining  IT  security 
when  they’re  at  home.  Employees  will  also  appreciate  advice  that 
pertains  to  their  physical  security  outside  the  office. 

Of  course,  even  in  times  of  relative  calm,  CSOs  should  make  an 
effort  to  meet  with  employees  one  on  one,  since  employees  will 
often  privately  express  opinions  and  emotions  about  the  com¬ 
pany’s  security  level  that  they  wouldn’t  say  in  a  group. 

CSOs  can  also  call  on  an  employee  assistance  program,  or 
ElAP,  as  a  valuable  source  of  information  for  the  security  team¬ 
an  EAP  can  help  gauge  if  employees  feel  that  the  security  pre¬ 
cautions  are  sufficient  and  whether  security  measures  may  be 
causing  excess  or  unnecessary  anxiety. 

Smart  security  executives  understand  that  their  initiatives  will 
stir  up  a  broad  array  of  emotions  across  the  employee  population 
and  that  they  can’t  expect  to  please  everyone  when  dealing  with 
diverse  groups  with  different  intrinsic  fears  and  anxieties.  CSOs 
will  find  that  the  safest  strategy  is  to  play  to  the  center  and  sat¬ 
isfy  the  greatest  number  of  people  possible.  “When  you  talk  about 
security  there’s  a  wide  range  of  things,  but  it  all  comes  back  to 
good  security  staff  and  a  good  security  policy,”  says  Psynapse’s 
Jackson.  Combine  that  with  a  great  communication  strategy, 
and  the  majority  of  employees  will  be  on  your  side. 

CSOs  who  keep  their  fingers  on  the  pulse  of  employee  senti¬ 
ment  will  have  greater  success  realizing  their  security  goals.  ‘You 
really  can  encourage  people  to  behave  in  certain  ways,”  says 
Carnegie  Mellon’s  Fischhoff.  “But  if  we  have  plans  that  depend 
on  human  behavior,  they  ought  to  be  realistic.”  ■ 


Senior  Editor  Daintry  Duffy  can  be  reached  via  e-mail  at  dduffy(9>cxo.com. 


Do  your  employees  know  too  much? 

Can  one  have  too  much  (security)  knowledge?  And  can  that  knowledge  be  a  threat 
to  the  organization?  Read  TALK  BACK,  an  interactive  column  on  CSOonline,  and 
tell  us  what  you  think,  www.csoonline.com/talkback 
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YOU  NEED  TO  GET  SMART.  FAST 


RUCE  SCHNEIER  SELLS 


Top  infosecurity  pros 
offer  5  strategies  for 
keeping  watch  over 

e-commerce  risk 

i  .  OIRARD 

I 


Steve  Haydostian,  CiSO  of  Health 
Net,  pushes  business  partners  to 
comply  with  standards  such  as 
HIPAA  and  ISO  17799. 


services  that  protect  corporate  networks,  but 
he  isn’t  promising  any  miracles  when  it  comes 
to  the  behavior  of  your  business  partners.  “Do 
business  with  people  you  trust,”  says  Schneier, 
founder  and  CTO  at  Counterpane  Internet 
Security.  “Don’t  do  business  with  people  you 
don’t  trust.  It’s  no  different  than  the  world’s 
been  for  centuries.” 

CSOs  such  as  Steve  Haydostian  may  find 
that  chestnut  a  tad  simplistic.  He  is  chief 
information  security  officer  at  Health  Net,  a 
$10  billion  managed  health-care  company. 
For  Fortune  500  companies  like  Health  Net— 
and  even  for  much  smaller  ones— the  com¬ 
plexity  of  the  global  network  and  the 

IN  THIS  STORY:  How  business  partnerships  open 
your  network  to  new  vulnerabilities  ■  Techniques 
for  reducing  e-commerce  risks 


pervasiveness  of  e-commerce  has  increased 
information  security  risks  by  orders  of  mag¬ 
nitude.  And  in  the  current  lackluster  economy, 
many  money-saving  business  moves— from 
outsourcing  manufacturing  to  collaborative 
planning— are  making  companies  still  more 
vulnerable.  Michael  Rasmussen,  security  ana¬ 
lyst  at  Giga  Information  Group,  sums  it  up 
elegantly:  “Companies  are  scared  their  busi¬ 
ness  partners  are  their  liability,  the  dooiway  of 
compromise  into  their  emironment.” 
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So  for  the  security  officer  who  has  too  many 
e-commerce  partners  to  do  business  on  a 
handshake-and-backslap  basis,  what  can 
improve  the  security  odds?  CSOs  interviewed 
for  this  article  offer  up  a  melange  of 
approaches  toward  securing  e-commerce  net¬ 
works.  Often,  these  strategies  seem  more  like 
works  in  progress  than  steadfast  plans.  Yet 
many  CSOs  are  cobbling  together  strategies 
that  mix  old  infosecurity  standbys  (sawier  use 
of  outsourcing,  a  host  of  intrusion  and  virus 
detection  software,  tighter  network  manage¬ 
ment,  improved  policies,  better  employee 
training)  with  reliance  on  a  growing  crop  of 
regulations  and  industry  standards  that  add 
complexity  but  at  least  provide  relief  by 
enabling  business  partners  to  communicate 
using  a  common  language. 

Even  when  every  preventive  item  on  the  IT 
list  is  checked,  can  a  company  still  be  certain 
that  its  partnerships  are  100  percent  bullet¬ 
proof?  No.  But  while  CSOs  can’t  eliminate  all 
the  risk  from  e-commerce,  they  can  borrow 
ideas  and  best  practices  methods  for  protecting 
critical  data.  So  where’s  a  company  to  start? 

1.  Know  Thy  Relationships 

First,  understand  what  you  manage  by  taking 
inventory,  not  only  of  your  own  network  but 
also  of  your  business  connections  and  part¬ 
nerships.  This  gets  tricky  for  companies  that 
have  scores  of  subsidiaries  or  have  gone 
through  mergers  and  acquisitions.  But  doing 
so  will  create  a  baseline  from  which  to  meas¬ 
ure  progress,  says  Ted  DeZabala,  a  principal 
in  Deloitte  &  Touche’s  enterprise  security  serv¬ 
ices  group  who  advises  the  Fortune  500  on 
security  policy.  A  CSO  who  doesn’t  have  this 
basic  knowledge  “won’t  be  around  for  long,”  he 
says.  Any  network  inventory  should  include  a 
rock-solid  list  of  outsiders  who  have  access. 
Consider  this  blunder:  In  March,  a  govern¬ 
ment  agency  Rasmussen  worked  with  discov¬ 
ered  it  still  had  a  live  connection  to  a  banking 
partner  it  no  longer  did  business  with.  “They 
weren’t  aware  of  it,”  he  says.  “They  had  a 
legacy  connection  that  was  never  taken  down.” 
It  sounds  obvious,  but  businesses  get  caught 
unaware  all  the  time.  In  fact,  up  to  20  percent 
of  network  routers  are  providing  inappropri¬ 
ate  access  to  corporate  networks,  systems, 
applications  and  data  over  the  Internet, 
according  to  the  Aberdeen  Group. 


Various  tools  and  services  can  help  speed 
up  this  inventory  process.  Dave  Cullinane, 
CISO  at  Washington  Mutual,  a  Seattle-based 
bank  with  2,500  offices,  mentions  services 
provided  by  Lumeta  as  an  example.  Lumeta 
creates  maps  that  help  companies  understand 
how  their  global  network  connects  to  their 
partners  and  to  the  Internet.  Companies  use 
the  maps  to  identify  previously  unknown 
routes  into  the  network  or  to  see  where  users 
are  making  unauthorized  connections.  This 
kind  of  work  doesn’t  come  cheap— pricing  for 
Lumeta’s  IPsonar  service  starts  at  $21,500  for 
a  one-time  scan  and  limited  license— but 
should  be  weighed  against  the  potential  cost 
of  a  breach.  “Network  mapping  is  essential,” 
Cullinane  says.  “Ideally,  it  should  show  how  to 
segment  the  network— so  if  an  attack  occurs  in 
sector  A,  you  can  prevent  it  from  spreading  to 
the  other  sectors.” 

This  inventory  and  mapping  chore  never 
really  ends.  Albert  Oriol,  privacy  and  data 
security  officer  at  The  Children’s  Hospital  in 
Denver,  is  finding  that  a  sound  e-commerce 
security  map  is  a  work  in  progress.  When 
Oriol  started  at  the  hospital  in  2001,  he  first 
had  some  internal  security  gaps  to  close.  Only 
after  he  and  his  team  implemented  redun¬ 
dant  firewalls,  invested  in  an  intrusion  detec¬ 
tion  system  and  deployed  antivirus  software  to 
all  servers,  did  Oriol  start  finding  time  to  look 
outside  his  own  network.  Now,  he’s  helping 
security  officers  from  the  hospital’s  five  affili¬ 
ates  understand  how  patient  data  flows 
through  the  network  and  addressing  issues 
such  as  standardizing  remote  access  and 
e-mail  encryption.  Those  needs  don’t  sit  still. 
“We’re  trying  to  get  the  things  that  need  to 
flow  through  on  the  network,  and  the  things 
that  don’t  offiX.”  he  says.  “We  keep  refining  it. 
It’s  a  never-ending  process.” 

2.  Mete  Out  Access 

Once  they  complete  an  inventory,  companies 
need  to  understand  what  applications  and 
parts  of  the  network  will  be  shared  and  how  to 
share  them.  Frequently,  one  business  partner 
wants  more  than  the  other  is  willing  to  give. 

The  key  step  in  defining  partner  access  lev¬ 
els  is  to  weigh  risk  against  the  need  to  share 
information.  One  example  is  a  Fortune  100 
company  using  three  security  levels  to  seg¬ 
ment  its  2,500  suppliers.  These  levels,  deter¬ 


mined  by  a  team  of  technical  managers  and 
businesspeople,  are  documented  and  defined 
according  to  each  partner’s  need  for  access. 
The  manufacturer,  with  its  staunch  policies 
that  include  not  speaking  on  the  record  to  the 
press  about  security,  leaves  little  to  chance. 

The  three  levels  are  defined  as  follows.  For 
a  supplier  with  simple  data  requirements,  a 
five  to  10  minute  simple  dial-up  connection 
will  do.  The  manufacturer  audits  these  con¬ 
nections  and  conducts  parameter  logging.  For 
suppliers  that  need  to  get  their  hands  on  a 
wider  breadth  of  information,  such  as  a  large 
manufacturing  report  to  help  better  plan  pro¬ 
duction,  the  company  uses  a  wider  bandwidth 
connection  with  a  firewall  at  each  end.  For 
heavy-duty  users,  it  offers  a  standing,  perpet¬ 
ual  connection  over  a  virtual  private  network 
with  firewalls.  Both  sides  agree  on  how  each 
end  is  monitored,  and  to  ensure  security  for 
both  parties,  either  side  can  shut  down  at  any 
time  if  there  are  security  issues,  according  to 
the  CSO. 

To  better  control  requests  for  network 
access,  according  to  Washington  Mutual’s 
Cullinane,  any  new  network  connection  that 
doesn’t  adhere  to  an  established  policy  should 
require  the  signature  of  both  the  CSO  and  a 
senior  executive  in  the  business  unit  request¬ 
ing  access.  Any  request  that’s  approved  should 
be  for  a  limited  period  of  time,  he  says. 

3.  Share  Standards 

Another  way  to  boost  e-commerce  security  is 
to  ensure  your  company’s  policies  make  their 
way  to  every  person  within  the  supply  chain. 
Evolving  standards  and  guidelines  from 
organizations  such  as  the  International  Orga¬ 
nization  for  Standardization  (commonly 
known  as  ISO)  and  National  Institute  of  Stan¬ 
dards  and  Technology  (NIST)  are  helping  to 
simplify  this  process  by  creating  common  ter¬ 
minology  and  requirements. 

Charles  Ryan,  director  of  information  secu¬ 
rity  at  Molex,  a  $1.7  billion  electronics  manu¬ 
facturer  with  55  locations,  frets  over  the 
amount  of  data  that  his  company  sends  over 
the  Internet.  Keeping  that  data  safe  is  critical 
to  ensuring  on-time  delivery,  which  is  a  top 
priority  for  Molex,  a  huge  supplier  to  auto 
and  consumer  electronics  companies.  Ryan 
is  building  the  company’s  information  security 
policy  around  ISO  17799,  a  detailed  security 
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Charles  Ryan,  director  of  information 
security  at  Molex,  lets  trading  partners 
audit  his  company's  infosecurity. 
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guideline.  He  says  it  has  simplified  his  joh 
immensely,  especially  during  a  recent  meeting 
with  a  big  business  partner.  Ryan  thought  the 
meeting  would  be  a  deal  breaker  because  of 
the  complexity  involved  with  ensuring  secu¬ 
rity.  Not  so.  “When  we  mentioned  ISO  was 
our  standard,  the  conversation  stopped  right 
there,”  he  explains.  “They  said,  ‘Yeah,  we 
accept  that  as  the  way  going  forward.’  It  was 
a  big  surprise  to  us.  Right  off  the  bat  we  came 
up  with  common  ground.”  Ryan  recently  used 
a  questionnaire  he  drafted  using  ISO  17799  to 
audit  Molex’s  security  at  a  Singapore  corpo¬ 
rate  office.  He  hopes  to  make  the  audit,  which 
ranks  companies  on  a  l-to-5  scale  (5  being 
“best  practice”),  part  of  the  standard  process 
Molex  will  use  in  the  future  with  partners. 
While  the  policy  provides  some  security,  a 
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drawback  exists:  There’s  not  yet  a  way  to  cer¬ 
tify  a  company  as  ISO  17799  compliant,  so 
companies  must  take  each  other’s  word.  Ryan 
admits  his  efforts  are  a  work  in  progress. 
“We’re  not  at  the  stage  yet  where  we  have  a 
firm  process  and  security  to  reject  someone,” 
he  says.  “This  is  pretty  much  a  maturing  stan¬ 
dard.”  (For  more  about  this  maturation 
process,  see  “Guiding  Lite”  at  www.csoonl.ine 
.com/printlinks.) 

Like  Ryan,  Health  Net’s  Haydostian  has 
developed  requirements  for  business  partners 
based  on  federal  mandates.  The  company  typ¬ 
ically  asks  whether  its  partners  comply  with  the 
Health  Insurance  Portability  and  Account¬ 
ability  Act  (HIPAA)  and  guidelines  from  ISO, 
the  National  Security  Agency  and  NIST. 
When  necessary,  Haydostian  refers  partners 


to  the  standards  with  which  they  must  comply. 
He  asks  questions,  such  as  whether  the  com¬ 
pany  has  an  information  security  officer  and 
published  security  standards  that  are 
enforced.  “You  maybe  linking  up  to  anybody, 
and  you  have  to  ask  what  security  level  they 
have,”  he  says. 

4.  Ask  for  Audits 

For  added  security,  some  companies  are  turn¬ 
ing  to  auditing  their  business  partners  more 
often.  However,  this  approach  is  more  dicey. 
Bigger  companies  often  have  the  upper  hand 
when  it  comes  to  demanding  audits  and  view' 
them  as  a  necessary  part  of  doing  business.  Yet 
the  audited  parties  sometimes  view  the  audit 
as,  at  best,  a  necessary  evil.  For  good  reasons, 
they  don’t  want  the  headache  of  allowing  a 
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bunch  of  outsiders  to  nose  around  their  net¬ 
work.  Some  businesses— such  as  banks  and 
big  insurance  companies— reject  audits 
because  they  allow  unwanted  access  by  poten¬ 
tial  competitors  in  this  ever-merging  envi¬ 
ronment.  Washington  Mutual’s  Cullinane,  for 
one,  refuses  audits  outright.  “We  don’t  feel 
that’s  something  we  want  to  share  wdth  the 
world  for  competitive  reasons,”  he  says.  The 
bank,  however,  does  comply  with  federal  rules 
that  mandate  certain  breaches  be  reported. 

To  sidestep  audits,  some  companies  with 
clout  contractually  require  business  partners 
to  retain  a  certain  security  level— and  then 
still  treat  them  as  “nontrusted  partners”  by 
installing  a  firewall  and  limiting  access,  says 
Andy  Toner,  a  partner  at  Pricewaterhouse- 
Coopers.  Health  Net’s  Haydostian  has  a  doc¬ 
umented  plan  for  auditing  partners.  First,  he 
asks  if  the  partner  has  conducted  penetration 
tests  for  both  the  internal  and  external  net¬ 
works.  If  any  high  risks  are  identified,  he  asks 
when  the  problems  will  be  con'ected  and  when 
the  next  test  is  scheduled.  Aside  from  a 
HIPAA  business  agreement,  the  company 
requires  that  partners  sign  a  document  allow¬ 
ing  Health  Net  to  conduct  unannounced  site 
visits  to  audit  their  facilities.  They  also  sign 
confidentiality  agreements. 

Others  are  more  open  to  letting  their  busi¬ 
ness  partners  audit  them,  even  viewing  the 
process  as  helpful.  Molex’s  Ryan  says  he  agrees 
to  audits  because  he  understands  the  com¬ 
pany’s  vulnerabilities  at  any  given  time  and  is 
always  working  to  fix  them.  He  claims  he’d  be 
let  down  if  partners  auditing  Molex  didn’t  alert 
him  to  these  problems.  That  would  mean  they 
weren’t  doing  a  good  job  auditing  on  their  end. 

Some  companies  treat  partner  audits  on  a 
case-by-case  basis.  Paul  Sheahan,  an  infor¬ 
mation  security  manager  at  an  online  retail 
business,  typically  comes  to  an  agreement 
with  a  partner  about  whether  his  company 
can  remotely  audit  from  time  to  time.  Noth¬ 
ing  is  mandated.  But  if  the  partner  agrees, 
Sheahan’s  company  uses  different  types  of 
vulnerability  and  port  scanners  to  audit  the 
partner  network.  “They  have  to  agree  before¬ 
hand,”  Sheahan  says.  “We  can’t  just  scan  them 
without  permission.  We  can  usually  come  to 
some  sort  of  agreement.” 

Sheahan,  like  many  CSOs,  is  struggling  to 
create  uniformity  when  doing  business  with 


25  partners.  “Everyone  knows  a  process 
should  have  been  in  place,”  he  says.  But  “it 
always  fell  through  the  cracks.” 

5.  Offer  Education 

Aside  from  training  their  own  employees, 
should  CSOs  be  responsible  for  training  their 
partners  too?  “We  do  this  to  a  certain  degree,” 
says  Rick  Ensenbach,  director  of  information 
security  at  Conseco  Finance.  “People  on  the 
other  end  are  competent.  We  don’t  do  any¬ 
thing  complicated.”  The  company  offers  its 
partners  user  handbooks  and  guides  that 
explain  its  processes.  Conseco,  like  all  financial 
institutions,  makes  partners  sign  a  high-level 
contract  that  mandates  they  protect  customer 
information  according  to  federal  and  state 
regulations.  To  make  sure  that  Conseco ’s  ovm 
systems  are  secure,  Ensenbach  works  with  the 
company’s  technology  staff,  which  uses  tools 
such  as  BindView,  Nessus  and  Snort  to  do 
technical  audits  within  its  divisions.  He’s  plan¬ 
ning  to  hire  consultants  to  conduct  an  inde¬ 
pendent  annual  security  audit  that  meets  the 
requirements  for  banks  included  in  the 
Gramm- Leach-Bliley  Act.  Ensenbach  says  the 
company  would  not  share  audit  information 
■with  any  other  company  ■without  first  mak¬ 
ing  sure  a  nondisclosure  agreement  or  some 
type  of  confidentiality  contract  is  in  place. 

“I  see  this  practice  continuing  and  probably 
increasing  because  people  like  myself  don’t 
have  the  time  or  resources  to  audit  business 
partners,”  he  wrote  in  an  e-mail.  “There  comes 
a  point  where  you  have  to  put  trust  in  your 
partners.” 

And  that  brings  us  full  circle.  Just  as  secu¬ 
rity  guru  Bruce  Schneier  says,  e-commerce 
remains  an  act  of  faith— not  completely  blind 
faith,  but  faith  nonetheless.  So  far,  CSOs 
haven’t  woven  together  a  net  of  technology 
and  policy  safeguards  strong  enough  to 
replace  good  old-fashioned  trust.  ■ 

Kim  Girard  is  a  freelance  writer  based  in  California. 
Send  feedback  to  Executive  Editor  Derek  Slater  at 
dslater@cxo.com. 
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How  does  your  company  reduce  e-commerce  risk?  Type 

the  DocID  number  (above)  into  the  search  box  at 

www.csoonline.com  and  post  your  comments  online. 


SMALL 

COMPANY, 

BIG  TROUBLE 

Think  the  little  guys  are  safe  from 
e-commerce-induced  vulnerabilities? 

Consider  the  case  of  Jesus 
Oquendo,  who  in  2000  worked  as  a 
computer  security  specialist  at  now- 
defunct  Collegeboardwalk.com. 
Oquendo,  who  shared  an  office  with 
Manhattan-based  Five  Partners  Asset 
Management,  altered  commands  on 
the  company  network  to  automati¬ 
cally  route  the  password  file  from 
Five  Partners’  system  to  his  e-mail 
account  every  time  the  company's 
system  rebooted.  After  College- 
boardwalk  went  belly  up,  Oquendo 
continued  to  access  those  passwords 
remotely  using  a  shell  account  he 
illegally  installed  on  the  victim’s  net¬ 
work.  He  started  hacking  programs 
and  other  information  in  an  elec¬ 
tronic  directory  no  longer  used  by 
Five  Partners.  He  also  installed  a 
sniffer  program  that  intercepted  and 
recorded  electronic  traffic  on  Five 
Partners’  network. 

Oquendo  didn’t  stop  with  Five 
Partners.  Using  a  sniffer,  he  obtained 
the  password  of  a  Five  Partners 
employee  who  had  an  account 
belonging  to  computer  wholesaler 
PCS  Computer  Experience.  Oquendo 
eventually  used  his  illicit  access  to 
delete  RCS’s  entire  database,  cost¬ 
ing  PCS  approximately  $60,000  to 
repair.  He  left  the  company  a  glib 
message:  “Hello,  I  have  just  hacked 
into  your  system.  Have  a  nice  day.’’ 

Although  he  denied  the  charges, 
Oquendo  was  convicted  in  2001  of 
computer  hacking  and  electronic 
eavesdropping.  He  was  sentenced  to 
27  months  in  a  minimum-security 
federal  jail.  -K.G. 
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CSO  Compass  Award  honorees: 
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The  CSO  Compass  Award  honors  leaders  who  have  helped  build  a  security  cul 
ture  not  just  in  their  own  organization  hut  in  the  broader  business  community 
'and  the  nation.  Our  inaugural  winners  hail from  government  and  industry, 
and  from  a  wide  variety  of  backgrounds;  their  years  of  distinguished  service 
have  made  them  familiar  names.  ■  We  asked  each  honoree  to  share  thoughts 
about  where  security  and  CSOs  are  headed  in  the  near future. 
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Clarke  is  most  recently  known  for 

his  position  as  White  House  cyber¬ 
security  czar  from  1998  to  2003— 
the  culmination  of  11  years  in  the 
White  House,  making  him  the  longest-serving 
senior  staffer.  Previously,  he  spent  19  years 
in  the  Pentagon,  serving  variously  as  deputy 
assistant  secretary  of  state  for  intelligence, 
assistant  secretary  of  state  for  military  affairs, 
and  coordinator  of  diplomatic  affairs  during 
the  Gulf  War,  He  was  as  comfortable  serving 
Presidents  Bush.  Clinton  and  Bush  Senior  as 
ihe  was  talking  sleeper  cells  with  George 
Stephanopoulos  on  Sunday  morning. 

Clarke  resigned  his  White  House  post— and 
turned  in  his  FBI-issued  semiautomatic  hand¬ 
gun— in  February  2003,  partly  in  frustration  at 
being  passed  over  for  a  position  as  deputy 
secretary  of  Homeland  Security.  While  Clarke 
Imay  have  felt  stymied  at  times  by  D.C. 
bureaucracy,  clearly  he  led  the  way  in  elevat¬ 
ing  the  possibility  of  cyberwarfare  to  the  front 
of  national  consciousness.  At  a  recent  U.S. 
House  Technology  and  Information  Subcom- 
[mittee  hearing.  Clarke  cautioned  that  the  U.S. 
;overnment  is  without  a  leader  in  the  cyber- 
Isecurity  war,  and  urged  CSOs  to  get  involved 
in  government  and  educate  legislators  about 
security  issues. 


“Threats  to  a  corporation  are  multifaceted. 
iThey  may  come  from  criminals,  competition, 
lhackers,  terrorists  or  insiders.  CSOs  need  to 
jensure  that  they  are  part  of  a  corporate  gov¬ 
ernance  model  that  relates  physical  security, 
|cybersecurity,  privacy,  continuity  of  opera¬ 
tions  and  personnel  security.  They  need  to  be 


part  of  a  structure  that  involves  the  CIO,  the 
COO,  HR  and  the  privacy  officer.  That  struc¬ 
ture  must  have  regular  access  to  the  CEO  and 
to  a  body  within  the  board.  A  corporate  secu¬ 
rity  council  model  rises  above  the  stovepipes 
of  traditional  wiring  diagrams.  Working 
together,  members  of  such  a  council  can  iden¬ 
tify  multifaceted  threats  and  develop  inte¬ 
grated  responses.  They  can  advocate  for  the 
resources  they  need  and,  perhaps,  be  able  to 
relate  overall  corporate  security  expenditures 
to  an  ROI. 

What’s  next  is  a  future  of  indefinite  dura¬ 
tion  in  which  new  technologies  will  continue  to 
appear  at  a  steady  pace,  each  offering  the 
hope  of  greater  efficiencies  and  carrying  with 
them  the  potential  of  danger.  Wi-Fi  seems  to 
bring  the  freedom  to  move  about,  but  it  may 
(if  not  done  properly)  also  allow  malicious 
actors  behind  the  firewall.  Third  generation. 


or  3G,  phones  may  finally  bring  us  the  single 
portable  device  but  could,  in  the  absence  of 
security  software,  be  the  weakest  link  in  a 
network.  VPNs  allow  road  warriors  to  get  at 
their  desktops  from  the  hotel  room  but  can 
also  zip  any  infection  on  the  laptop  right  onto 
the  corporate  network.  At  the  far  end  of  the 
planning  horizon,  quantum  computing  will 
both  destroy  all  current  encryption  protection 
and  simultaneously  offer  those  who  have  it  an 
uncrackable  code.  Nanodevices  will  create 
truly  ubiquitous  computing  but  will  pose  a 
serious  challenge  to  civil  liberties  and  privacy. 

We  need  a  mechanism  to  identify  the  secu¬ 
rity  and  policy  implications  of  technology 
before  it  goes  to  market  so  that  we  can  bal¬ 
ance  technological  advances  with  our  security 
needs  and  what  we  stand  for  as  a  nation." 

-RICHARD  CLARKE 


Achievement 


Littlejohn  already  has  a  career's  worth  of 
security  experience  to  his  name— includ¬ 
ing  years  in  the  New  York  City  Police 
Department  and  Office  of  Emergency  Man¬ 
agement,  the  United  States  Army,  and  the 
investigations  and  consulting  services  unit  of 
Pinkerton's.  His  work  has  furthered  the  role  of 
the  security  executive  in  corporate  America. 
For  example,' while  president  of  the  interna¬ 
tional  Security  Management  Association,  he 
spearheaded  the  creation  of  the  ISMA  Leader¬ 


ship  Program  to  help  future  CSOs  broaden 
their  executive  skill  sets. 

“Sept.  11,  2001,  altered  the  way  senior 
management  views  the  role  of  the  CSO.  It’s 
becoming  a  much  more  critical  part  of  the 
global  business  process.  The  bar  for  CSO 
performance  has  been  raised,  and  now  the 
CSO  must  perform  at  the  executive  level. 

Moving  forward,  there  are  four  critical 
areas  in  which  the  CSO  must  learn  to  excel. 


CORPORATE  LEADER 

Bob  Littlejohn,  Vice  President  for  Global 
Security,  Avon  Products 


First,  the  CSO  must  become  a  master  strate¬ 
gist.  He  must  be  able  to  view  the  world  with  a 
watchful  eye  and  predict  security  issues 
before  they  become  actual  problems.  To 
develop  the  big  picture,  be  able  to  look  at  the 
world  and  try  to  figure  out  where  the  hot 
spots  are.  What’s  the  next  issue  and  how 
should  you  deal  with  it?  As  companies  come 
to  rely  on  their  security  organizations  more 
and  more,  the  CEO  will  expect  his  CSO  to 
have  his  ear  to  the  ground,  to  know  what’s 
going  on  at  all  times  and  to  think  ahead. 

Second,  the  CSO  must  become  a  skilled 
communicator  with  the  ability  to  clearly  artic¬ 
ulate  his  security  agenda  to  the  CEO,  the 
board  of  directors  and  also  to  the  lowest-level 
security  personnel  at  his  company’s  locations 
throughout  the  world. 

Third,  the  CSO  must  be  a  global  builder, 
capable  of  creating  and  nurturing  alliances 
worldwide  with  law  enforcement,  the  intelli¬ 
gence  community  and  with  his  own  staff. 

Finally,  the  CSO  must  be  a  dynamic  execu¬ 
tor,  prepared  to  implement  his  plans,  proce¬ 
dures  and  policies  rapidly— whether  it  be  an 
evacuation  in  a  U.S.  metropolitan  area  or  an 
evacuation  in  Jakarta,  Indonesia.  CSOs  have 
to  develop  and  display  leadership  skills  so 
that,  in  the  event  of  a  security  incident,  they 
can  effectively  direct  a  plan  while  also  giving 
confidence  to  their  employees.  CEOs  are 
going  to  expect  this  kind  of  leadership  more 
during  the  coming  months. 

I  also  see  two  major  challenges  coming 
within  the  next  year:  maintaining  momentum 
in  the  security  space  and  establishing  effec¬ 
tive  information-sharing  practices.  After  9/11, 
a  lot  of  momentum  was  built  around  shoring 
up  building  security  methods,  cyberdefense 
and  global  business  security.  As  people  see 
the  threat  decreasing,  momentum  naturally 
tends  to  wane.  When  CEOs  see  that  the  alert 
level  is  down  to  yellow,  they  feel  OK  about  let¬ 
ting  their  guard  down.  But  we  have  to  be 
aware  no  matter  what  the  threat  level  may  be 
in  order  to  be  adequately  prepared.  Also, 
CSOs  need  to  be  thinking  about  the  most 
effective  method  of  sharing  information  with 
their  peers  and  with  the  government,  particu¬ 
larly  as  the  Department  of  Homeland  Security 
comes  together.” 


-BOB  LITTLEJOHN 
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Denning  is  an  expert  and  visionary  in  the 
fields  of  cybercrime,  hacktivism,  infor¬ 
mation  warfare  and  security,  and 
encryption.  A  former  professor  of  computer 
science  at  Georgetown  University,  she  has 
published  more  than  120  articles,  four  books— 
including  1999's  Information  Warfare  and 
Security— and  was  the  first  president  of  the 
International  Association  for  Cryptologic 
Research. 

“I’m  currently  studying  trust  and  influence 
in  the  context  of  social  and  technological  net¬ 
works  in  preparation  for  a  course  I  am  devel¬ 
oping  at  the  Naval  Postgraduate  School.  I’m 
trying  to  understand  the  nature  and  functions 
of  trust  and  influence:  how  they  are  estab¬ 
lished,  maintained  and  destroyed;  and  the  role 
they  play  in  human  relationships,  organiza¬ 
tions  and  societies. 

For  CSOs,  trust  is  essential  in  two  domains. 
First,  the  software  and  hardware  underlying 
the  organization’s  information  infrastructure 
must  be  secure  enough  that  the  technology 
can  be  trusted  to  support  mission-critical 
functions.  Otherwise,  the  productivity  gains 
possible  with  computing  technology  will  not 


be  fully  realized,  and  people  will  resort  to  less 
efficient,  manual  methods  for  critical  commu¬ 
nications,  business  transactions  and  informa¬ 
tion  processing.  Or  computers  will  be  used, 
but  information  will  be  compromised,  cor¬ 
rupted  or  destroyed— the  consequences  of 
which  can  be  costly  and  even  damaging  to  the 
organization’s  credibility,  particularly  if  com¬ 
promised  systems  are  used  to  launch  attacks 
against  other  organizations.  Second,  the  peo¬ 
ple  must  be  trusted  to  use  and  operate  the 
technology  in  a  way  that  maintains  security 
and  is  consistent  with  organizational  objec¬ 
tives.  Using  weak  passwords,  for  example, 
can  undermine  the  security  offered  by  fire¬ 
walls  and  other  security  measures.  Insiders 
must  be  trusted  to  not  abuse  their  authority  or 
engage  in  inappropriate  or  illegal  activity. 

Trust  is  also  essential  at  a  broader  level  to 
achieve  national  objectives  for  cyberspace 
security.  In  particular,  efforts  to  promote 
information  sharing  through  industry- 
sponsored  Information  Sharing  and  Analysis 
Centers  and  government-industry  partner¬ 
ships  will  fail  unless  CSOs  have  sufficient 
trust  in  each  other  and  in  the  information¬ 
sharing  systems  used.  CSOs  will  not  share 


sensitive  information  unless  they  are  confi¬ 
dent  that  it  will  not  be  exposed  or  used 
against  them.  They  need  to  know  that  their 
information  is  well-protected  from  both 
insiders  and  outsiders. 

Because  our  national  critical  infrastruc¬ 
tures  are  operated  primarily  by  the  private 
sector,  the  government  and  citizens  must  also 
trust  the  owners  of  those  systems  to  provide 
security,  reliability  and  survivability.  To  the 
extent  that  the  industries  involved  are  not 
regulated,  this  trust  will  be  based  more  on  the 
voluntary  initiatives  taken  by  the  infrastruc¬ 
ture  owners  than  on  government  forces.  Not 
everyone  finds  this  approach  satisfactory,  but 
the  industries  themselves  have  a  strong  busi¬ 
ness  incentive  to  protect  their  systems  from 
physical  attacks  and  cyberattacks. 

The  challenge  of  trust  is  that  it  is  usually 
hard  to  establish— but  so  easy  to  destroy.  It 
can  take  months  or  years  of  interaction  before 
people  trust  each  other  or  a  particular  tech¬ 
nology.  Yet,  a  single  breach  of  trust  can 
undermine  it  almost  immediately." 

-DOROTHY  DENNING 


Achievement 


INDUSTRY  ADVOCATE 


Bill  Boni,  Vice  President  and  Chief  Information 
:  Security  Officer,  Motorola 


Bom  has  spent  more  than  a  quarter  cen¬ 
tury  as  what  he  calls  an  "information 
protection  specialist,"  his  career  span¬ 
ning  from  government  roles— a  U.S.  Army 
counterintelligence  officer,  federal  agent  and 
project  security  officer  for  the  Star  Wars  mis¬ 
sile  defense  system— to  private  industry.  He 
also  has  served  an  unofficial  role  raising  the 
general  awareness  and  understanding  of  infor¬ 
mation  security  issues,  both  as  a  writer  (Boni 
coauthored  Netspionage:  The  Global  Threat  to 
Information  in  2000)  and  commentator  in  var¬ 
ious  media  outlets. 


“The  unexpected  and  unpredictable  climate 
we  live  in— glaring  examples  being  9/11,  war 
with  Iraq  and  the  outbreak  of  SARS— has 
thrust  the  chief  security  officer  into  the  lime¬ 
light,  perhaps  a  place  where  these  technolo¬ 
gists  and  law  enforcement  experts  are  not 
quite  comfortable.  But  organizations  are 
adding  CSOs  to  their  rosters  because  they  are 
looking  for  security  leaders.  Now  that  CSOs 
have  a  seat  at  the  table,  it’s  time  for  them  to 
start  adding  to  their  repertoire  of  skills. 

Security  has  become  an  embedded  expec¬ 
tation  of  society:  by  the  consumer,  the  busi¬ 
ness,  the  employee.  And  the  CSO  is  expected 


to  have  the  legal,  practical  and  technological 
knowledge  needed  to  ‘protect  from  the  unex¬ 
pected,’  quite  an  oxymoron  in  itself.  CSOs  are 
increasingly  asked  to  take  over  operations 
such  as  consumer  privacy  and  data  protection 
as  well  as  to  ensure  that  whatever  they  do  is 
in  compliance  with  current  legislation.  In 
order  to  fulfill  these  big  expectations,  I  con¬ 
sider  myself  a  perpetual  student.  I  read  just 
about  anything  that  even  remotely  deals  with 
security.  And  I  just  returned  from  a  week  of 
executive  training  at  the  Kellogg  School  of 
Management  at  Northwestern  University. 
Ramping  up  on  managerial  skills,  finance, 
marketing  and  product  development  is  as 
important  as  expertise  in  risk  management 
and  will  be  key  in  the  success  of  a  CSO. 

As  the  role  develops,  the  CSO  will  become 
more  of  a  chief  risk  officer,  an  executive  in 
charge  not  only  of  the  technological  risks  a 
company  may  face  but  also  the  business  risks 


SSI 


Weaver  has  served  in  government  for 
nearly  28  years,  21  of  those  years  in 
the  Secret  Service.  He  currently  holds 
the  position  of  deputy  special  agent  in  charge 
of  the  Secret  Service’s  Financial  Crimes  Divi¬ 
sion  and  is  also  the  founder  and  head  of  the 
New  York  Electronic  Crimes  Task  Force, 
where  he  supervises  a  dedicated  staff  of  high- 
tech  crime  fighters  and  criminal  investigators. 
Weaver  was  at  the  forefront  of  a  major  mind- 
change  in  law  enforcement  regarding  elec¬ 
tronic  crime,  helping  shift  the  focus  from 
prosecution  to  prevention. 


“CEOs  and  CSOs  must  take  their  risk  man¬ 
agement  procedures— and  this  includes  both 
physical  security  and  cybersecurity— seri¬ 
ously.  Some  people  put  the  two  disciplines 
together  and  call  it  enterprise  protection  plan¬ 
ning,  while  others  call  it  risk  management.  I 
suggest  that  CEOs,  CSOs  and  CIOs  consider 


married  to  security  concerns.  Many  CSOs 
have  law  enforcement  pasts,  and  now  more 
than  ever,  it’s  important  to  hold  on  to  that 
past.  Having  the  right  cybercrime  contact  on 
Capitol  Hill  and  keeping  abreast  of  what  gov¬ 
ernment  is  doing  in  the  wake  of  9/11  and  the 
development  of  the  Homeland  Security 
Department  are  just  part  of  the  CSO  job. 

The  CSO  must  also  realize  that  risk  is  inter¬ 
national.  Knowing  how  to  protect  yourself  in 
the  United  States  is  important,  but  learning 
how  to  protect  yourself  globally  is  equally  crit¬ 
ical.  That  means  you  have  to  know  the  full 
diversity  of  laws  and  cultures  in  the  global 
workplace— how  identity  theft  is  investigated 
in  Romania,  who  the  cybersecurity  experts  of 
Indonesia  are  and  how  to  reach  them.  The 
Internet  is  a  perfect  breeding  ground  for  inter¬ 
national  worries— a  common  denominator— 
and  a  threat  for  just  about  every  business, 
consumer  and  government  in  the  world.” 

-BILL  BONI 


CHANGE  AGENT 


Bob  Weaver,  Deputy  Special  Agent  in  Charge, 
U.S.  Secret  Service  Financial  Crimes  Division 


that  streamlining  these  two  disciplines  can 
provide  them  with  an  extra  level  of  fast- 
tracked  communication  when  times  get  tough. 
And  having  better  coordination  and  communi¬ 
cation  is  just  good  business.  What  you  may 
see  in  the  next  few  years  is  a  movement 
toward  placing  the  physical  security  and 
cybersecurity  components  closer  together  in 
the  corporate  world  so  that  companies  and 
employees  can  better  protect  themselves  and 
their  businesses. 

The  best  way  I  can  explain  the  need  for 
preincident  planning  is  this:  Get  up  from  your 
desk  right  now,  walk  out  the  door  with  nothing 


but  the  clothes  on  your  back,  run  for  your  life 
and  know  that  everything  you  leave  behind 
has  been  destroyed.  And  then  tomorrow,  go 
back  to  work.  If  you  can  stand  up  under  that 
battle-tested  environment  and  actually  run 
your  business  the  next  day,  then  you  have  the 
kind  of  robust  and  redundant  systems  that 
can  only  come  from  preincident  planning.  You 
can’t  make  that  up  as  you  go  along.  You  have 
to  set  preplanning  policies  and  procedures  at 
the  strategic,  tactical  and  operational  level 
while  at  the  same  time  protect  your  data  and 
intellectual  property.  This  means  taking  a  look 
at  every  asset  and  thinking.  If  I  lost  this. 


would  I  still  be  in  business?  Decide  what’s 
most  critical  to  the  business,  and  put  backup 
plans  in  place  so  those  things  can  be  restored 
quickly.  Your  plan  must  be  designed  for  busi¬ 
ness  continuity— not  just  survivability— 
because  you  need  to  be  able  to  keep  your 
company  up  and  running.  That  means  having 
contingency  plans,  partnerships  with  other 
companies  and  government  agencies,  and  a 
redundant  network  in  place.  And  then  every¬ 
one  in  the  company  must  know  the  pre¬ 
incident  and  continuity  plans  so  that  if  the 
plans  are  activated,  each  employee  knows 
what  to  do. 

Companies  that  don’t  do  this  plan  will  make 
a  business  decision  that  puts  everything  at 
risk  every  day.  Having  such  a  plan  in  place  is 
money  well-spent  because  you’re  protecting 
both  your  company’s  employees  and  the  busi¬ 
ness  itself.” 

-BOB  WEAVER 
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What  every  CSO  needs  to  know  about  encryption  By  Simson  Garfinkel 


RYPTOGRAPHY  IS  THE 
fundamental  technology  used  to  protect 
information  in  today’s  information  economy. 
Not  coincidently,  it  is  also  responsible  for 
the  commercialization  of  the  Internet. 
Netscape  was  able  to  kick  off  the  Internet 
revolution  because  of  its  SSL  encryption 
technology,  a  scheme  that  lets  consumers 
send  encrypted  credit  card  numbers  over  the 
Internet  by  just  filling  out  a  Web  form  and 
clicking  a  button.  Say  what  you  will  about  the 
dotcom  excesses  that  followed,  but  much  of 
what  we  take  for  granted  on  the  Internet 
today  simply  wouldn’t  have  happened  with¬ 
out  ubiquitous,  easy-to-use  cryptography. 


Yet  despite  its  importance,  it  is  amazing 
how  much  disinformation  there  is  out  there 
regarding  cryptography.  For  example,  I  re¬ 
cently  gave  a  demonstration  of  a  new  e-mail 
encryption  system  at  a  conference  sponsored 
by  the  National  Science  Foundation.  A  pro¬ 
fessor  from  a  university  (that  will  remain 
nameless)  didn’t  understand  the  point  of  my 
project.  “Isn’t  all  e-mail  encrypted?”  he  asked. 

“Well,  no,  it  isn’t,”  I  told  him.  While  it’s 
true  that  practically  every  e-mail  client  in 
use  today  supports  either  OpenPGP  or 
Secure/MIME— the  two  competing  stan¬ 
dards  for  encrypting  e-mail— it’s  also  true 
that  very  few  people  encrypt  their  e-mail 


because  doing  so  is  tremendously  difficult. 

Later,  another  attendee  told  me  that  he 
didn’t  bother  encrypting  e-mail  because  com¬ 
puters  were  so  fast  these  days  that  anybody 
who  wanted  to  could  easily  crack  a  message. 

“Well,  no,  they  can’t,”  I  said.  Although 
many  encryption  systems  have  been 
“cracked”  or  “broken”  in  recent  years,  the  so- 
called  strong  cryptography  systems  used 
today  are  generally  regarded  as  unbreakable. 
Unfortunately,  that  simple  fact  hasn’t 
stopped  many  journalists,  academics  and 
business  leaders  from  asserting  otherwise. 
Rest  assured:  They’re  wrong. 

With  so  much  confusion  out  there,  it’s 
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worth  devoting  some  attention  to  a  brief 
synopsis  on  enciyption  and  an  exposi¬ 
tion  of  its  most  common  myths.  (Next 
month  I’ll  continue  with  an  exploration 
of  PKI  or,  more  specifically,  an  attack  on 
PKI  excesses.)  Cryptography  is  a  set  of 
mathematical  techniques  used  to  lock  up 
information  so  that  it  can  be  unlocked 
only  by  a  person  who  has  the  necessary 
key  or  password.  Cryptography  can  also 
be  used  to  digitally  sign  or  certify  infor¬ 
mation  so  that  you  can  determine  if  it 
was  modified  without  authorization.  If 
there  is  no  possibility  that  your  data 
might  be  eavesdropped  upon,  stolen, 
modified  or  publicized  without  your  per¬ 
mission,  then  there  is  no  reason  to  pro¬ 
tect  your  data  with  cryptography.  I’ve 
tried  hard,  however,  and  I  can’t  think  of 
any  information  that  doesn’t  fall  into  the 
“protect”  category. 

There  are  fundamentally  two  kinds  of 
cryptographic  systems.  The  first,  called 
symmetric,  uses  the  same  key  to  encrypt 
and  decrypt.  Think  of  this  key  as  a  pass¬ 
word:  Anybody  who  knows  the  key  can 
access  the  data.  Probably  the  best-known 
symmetric  system  is  the  Data  Encryption 
Standard  (DES).  Developed  in  the  1970s 
by  IBM  and  the  National  Security  Agency 
(NSA),  DES  is  still  widely  used  today. 

The  second  kind  of  cryptography  is 
called  public-key  cryptography.  These 
systems  generally  have  one  key  that 
encrypts  and  a  second  that  decrypts.  The 


an  enciphered  message,  each  bit  in  the 
key  must  match  perfectly.  An  attacker 
who  doesn’t  know  the  key  used  to  encrypt 
a  message  can  attempt  to  “crack”  the  code 
by  trying  every  possible  combination. 
That  approach,  however,  becomes  in¬ 
creasingly  unworkable  as  the  key  gets 
longer  (there  are  roughly  4  billion  dif¬ 
ferent  keys  that  are  32-bits  long;  increase 
the  key  to  40-bits  long,  and  you  get 
250,000  times— or  millions  of  billions— 
as  many  keys  that  need  to  be  searched). 

Public-key  systems  are  based  on  math¬ 
ematical  problems  such  as  factoring  large 
numbers.  These  problems  give  the  sys¬ 
tems  their  two-key  properties;  they  also 
leave  the  .systems  open  to  attacks  other 
than  an  exhaustive  key  search.  As  a  result, 
keys  used  for  public-key  systems  have  to 
be  much  larger  than  symmetric  keys  to 
get  the  same  level  of  security. 

A  few  examples  can  quickly  illustrate 
how  this  all  works.  The  DES  encr3q)tion 
algorithm  uses  a  56-bit  key,  which  means 
that  there  are  roughly  72  millions  of  bil¬ 
lions  of  keys  available.  If  you  tried  to 
crack  a  message  encrypted  with  DES  by 
searching  a  billion  keys  a  second,  it  would 
take  72  million  seconds  to  try  them  all— 
roughly  two  and  a  half  years.  As  it  turns 
out,  modern  computers  can  do  much  bet¬ 
ter:  In  1999,  a  network  of  computers 
found  a  DES  key  in  about  22  hours, 
crunching  245  billion  keys  per  second. 

Recently,  DES  was  retired  in  favor  of 


There  are 340  billion  billion  billion 
billion  128-bit  keys,  which  means  it  would 
take  a  billion  computers  more  than 
10  trillion  years  to  try  all  the  keys. 


best-knovm  public-key  system  is  the  RSA 
algorithm,  named  after  its  inventors  Ron 
Rivest,  Adi  Shamir  and  Len  Adleman. 

Both  symmetric  and  public-key  sys¬ 
tems  use  keys,  but  they  use  the  keys  in 
different  ways.  With  symmetric  systems, 
the  Is  and  Os  in  a  binary  key  are  like  the 
metal  ridges  on  a  house  key:  To  decrypt 


the  Advanced  Encryption  Standard 
(AES).  Instead  of  a  56-bit  key,  AES  can 
mn  with  a  128-,  192-  or  256-bit  key.  How 
long  will  it  be  until  AES  is  obsolete?  Pos¬ 
sibly  never.  There  are  340  billion  billion 
billion  billion  128-bit  keys;  if  you  had  a 
billion  computers,  each  one  of  which 
could  crack  a  billion  keys  a  second— it 


Mind  Vour  P’s 

Chances  are  good  that  you’ve  had  at  least  a  half  dozen 
“security  policy  management”  software  packages 
pitched  at  you  during  the  past  few  months.  And  every 
one  of  them  does  something  completely  different. 

“Folks  have  picked  up  on  the  word  policy  being 
important  to  senior  executives,  so  everything 
becomes  a  ‘policy  management  tool’  even  if  all  they 
really  do  is  patch  systems.  It's  created  a  lot  of  confu¬ 
sion”  among  would-be  software  buyers,  says  Pete 
Lindstrom,  research  director  for  Spire  Security. 

So  how  do  CSOs  make  sense  of  the  chaos  and 
understand  which  of  the  countless  policy  tools  might 
really  address  their  particular  needs?  The  simplest 
way  to  parse  policy  tools  is  to  think  in  terms  of  the 
Little  P  and  the  Big  P,  according  to  IDC  Research 
Director  Charles  Kolodgy  (CSO’s  publisher  is  a  sister 
company  to  IDC).  Here’s  what  he  means:  The  Little  P 
refers  to  more  technical  tools  that  “deal  with  the 
management  of  a  stated  machine”— making  sure 
firewalls  have  the  correct  settings,  for  example.  This 
category  includes  tools  such  as  those  from  Security 
and  equipment  vendors  such  as  Check  Point. 

The  Big  P  means  higher-level  policy  tools  that  are 
used  to  examine  the  organization's  overall  security 
posture  in  terms  of  regulatory  compliance  (HIPAA, 
Gramm-Leach-Bliley  and  Sarbanes-Oxley  being 
famous  domestic  examples),  or  international  guide¬ 
lines  and  standards  (such  as  ISO  17799  or  its  relative 
from  the  British  Standards  Institute,  BS  7799).  Such 
tools  can  also  capture  internal  policy  decisions  such 
as  “No  Instant  Messenger”  and  push  that  information 
out  to  the  corporate  firewalls. 

Kolodgy  says  no  current  tool  completely  automates 
that  process,  but  that  products  from  such  vendors  as 
BindView,  NetlQ,  PoliVec  and  Symantec  are  reason¬ 
ably  well-positioned  to  push  to  this  level  of  functional¬ 
ity.  Big  P  tools  need  to  address  not  only  technical 
vulnerabilities  but  also  those  attributable  to  human 
error,  such  as  easily  guessed  passwords.  Thus  far, 
Kolodgy  says,  such  capabilities  remain  beyond  the 
software  available  from  hardware  vendors. 

Other  products  still  further  up  the  totem  pole 
could  still  be  considered  policy  management  tools, 
according  to  Lindstrom,  who  mentions  software  from 
Archer  Technologies  and  Cogentric.  This  group  of 
products  provides  ultra-high-level  views  of  the  enter¬ 
prise  and  its  exposure  to  risk. 

They  also  go  by  the  heading  “risk  management 
consoles”  (for  more  on  these  programs,  see  Toolbox, 
December  2002,  at  www.csoonline.com/printlinks), 
but  after  all,  what’s  in  a  name?  -Derek  Slater 
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would  still  take  more  than  10  trillion  years 
to  tr)’  all  128-bit  keys.  (The  sun  will  turn 
into  a  red  giant  and  destroy  the  earth  in  4 
billion  years  or  less,  so  128-bit  keys  are 
probably  safe.) 

If  you  started  paying  attention  to  infor¬ 
mation  security  back  in  the  1990s,  then  you 
likely  got  an  inaccurate  view  of  this  whole 
encryption  business.  Back  then,  practically 
every  month  saw  another  front-page  story 
about  some  encryption  system  being 
“cracked”  or  “broken.”  Even  a  message 
encrypted  with  the  vaunted  RSA  algorithm 
fell  when  enough  programmers  applied  suf¬ 
ficient  processing  power. 

But  the  truth  about  modern  encryption 
systems  is  really  quite  different  from  the 
perception  that  all  of  this  news  coverage 
helped  to  create.  Back  in  the  1990s,  there 
was  a  huge  fight  taking  place  between  U.S. 
businesses  and  the  U.S.  government.  The 
businesses  were  selling  to  an  increasingly 
global  market,  and  their  customers  wanted 
to  use  encryption  to  protect  communica¬ 
tions  and  stored  data.  But  groups  within 
the  federal  government,  including  the  NSA 
and  the  FBI,  were  themselves  actively 
engaged  in  a  worldwide  program  of  eaves¬ 
dropping  and  data  monitoring;  They  didn’t 
want  the  enemies  of  the  United  States  to 
start  using  strong  encryption  systems  that 
couldn’t  be  broken. 

A  2-Bit  Law 

Under  federal  law  and  international  treaty, 
encryption  systems  are  considered  “dual- 
use”  technology;  that  is,  they  have  both 
commercial  and  military  purposes.  In  the 
early  1990s,  U.S.  industry  cut  a  deal  with 
the  federal  government  to  allow  the  export 
of  encryption  systems  that  were  restricted 
to  using  symmetric  keys  that  were  40  bits  in 
length.  Although  40  bits  might  have  pro¬ 
vided  enough  security  for  routine  business 
communications  when  the  compromise 
was  struck,  by  the  middle  of  the  decade  40 
bits  was  clearly  insufficient.  To  demonstrate 
the  inadequacy,  groups  of  researchers  set 
out  to  crack  messages  encrypted  with  40-bit 
keys.  Their  success  didn’t  prove  that  any 
encryption  system  could  be  overcome— it 
just  proved  the  absurdity  of  the  govern¬ 
ment’s  40-bit  restriction. 

Because  symmetric  algorithms  are  faster 


Machine  Shop 


than  public  key,  most  enciyption  systems 
today  use  a  combination  of  the  two.  The 
SSL  algorithm  built  into  most  Web 
browsers  uses  RSA  to  exchange  a  pair  of 
keys,  and  RC2  or  RC4  for  bulk  data  encryp¬ 
tion.  The  Secure  Shell  (SSH)  remote  access 
system  is  similar  except  it  uses  either  Blow- 
fish  or  3DES— a  version  of  DES  that  uses 
l68-bit  keys  instead  of  56-bit  keys— for  bulk 
encryption. 

As  both  SSL  and  SSH  demonstrate,  the 
latest  trend  in  encryption  systems  is  to 
make  the  algorithms  “pluggable.”  These 
days,  the  same  basic  software  can  use  a  vari¬ 
ety  of  algorithms,  usually  determined  when 
the  program  runs.  The  big  benefit  of  plug¬ 
gable  systems  is  that  they  let  end  users 
change  encryption  algorithms  without  get¬ 
ting  new  applications.  In  other  words,  if  a 
serious  bug  is  found  with  the  Blowfish 
cipher,  it’s  a  simple  matter  to  tell  SSH  to  use 
3  DES  instead. 

The  primary  reason  you  want  to  use 
encryption  is  to  protect  valuable  informa¬ 
tion  from  being  eavesdropped  on  over  a 
network.  The  first  thing  to  protect  is  pass¬ 
words— you  should  use  encryption  for  your 
POP  (point  of  presence)  mail  server,  and 
you  should  replace  Telnet  with  SSH. 
Intranets  that  require  passwords  should 
eschew  “http”  and  instead  use  “https”  for 
all  URLs.  Follow  those  basic  rules,  and  any¬ 
body  using  a  packet  sniffer  won’t  be  able  to 
find  passwords  when  he  examines  your  net¬ 
work-sage  advice  for  both  wireless  net¬ 
works  and  wired  LANs.  Once  you’ve  got 
that  working,  take  a  look  at  cryptographic 
file  systems,  which  let  you  set  up  a  specially 
secured  space  on  your  hard  drive.  You  can’t 
stop  people  from  stealing  laptops,  but  you 
can  protect  the  confidential  information 
contained  on  them. 

The  most  important  thing  to  realize 
about  encryption  is  that  it’s  virtually  free. 
Today,  support  for  unbreakable  encryption 
is  built  into  practically  every  piece  of  com¬ 
munications  software  and  operating  sys¬ 
tem.  If  you  are  not  using  it,  you  are  making 
a  big  mistake.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based  in 
the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshopiPcxo.com. 
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Waving  the  Red  Flag^ 

Security  can  play  a  major  role  in  ensuring  the  integrity  of 
the  corporation.  But  it  won’t  happen  without  persistence. 

By  Anonymous 


HERE  IS  NO  BALDRIGE  AWARD  for  Corporate  Integrity,  but  if  there 
were,  the  CSOs  of  this  world  would  be  among  those  with  a  bullhorn  on  the  nom¬ 
inating  panel.  Or  at  least  they  ought  to  be. 

I  can’t  think  of  a  role  more  attuned  to  the  mission  of  overseeing  risk  than  ours. 
In  my  view,  no  member  of  the  corporate  governance  team  is  more  qualified  to  deal 
with  the  key  elements  of  oversight  than  the  CSO.  The  security  department  can 
administer  the  programs  required  to  assure  the  organization’s  integrity,  and  the 
CSO  is  in  a  good  position  to  be  an  advocate— an  owner  of  sorts— of  a  variety  of 
business-conduct  policies.  In  addition,  he  can  fill  the  role  of  adviser  to  top  man¬ 
agement  on  issues  affecting  the  reputation  of  the  enterprise. 

Some  would  argue  (and  current  governance 
movements  underscore  the  notion)  that  it  is  the 
auditors,  both  internal  and  external,  who  are  the 
logical  overseers  for  integrity  assurance.  Not  so. 

Audit  is  cyclical,  and  it  is  not  meant  to  be  an 
investigative  function  in  the  same  way  that 
security  is.  As  a  matter  of  fact,  the  corporate 
ethics  or  compliance  department  of  an  organ¬ 
ization  may  have  input  into  security  policy, 
but  neither  group  would— or  should— have 
the  scope  and  reach  of  security. 

How  about  the  members  of  the  human 
resources  team?  They  certainly  can  partici¬ 
pate  as  an  employee  advocate,  but  as  a  depart¬ 
ment,  they  lack  the  objectivity  that  security 
brings  to  the  table. 

No— at  least  as  I  see  it— it  is  the  security 
department  that  has  the  unique  perch  to  see  the 
cautionary  signals  that  are  a  part  of  daily  corpo¬ 
rate  life,  and  we’re  paid  to  understand  that  aspect 
of  operational  risk  better  than  anyone  else  on  the 
executive  team.  When  corporate  security  provides  its 
share  of  oversight  and  control  maintenance  in  an  organi¬ 
zation,  it  can  see  a  variety  of  red  flags  that  others  don’t. 

Yet  in  all  of  the  current  commentary  and  debate  on  corporate  scandal  and 
wrongdoing.  I’ve  not  seen  one  word  acknowledging  the  CSO’s— or  even  the  cor¬ 
porate  security  department’s— role  in  risk  management.  If  you  don’t  believe  me, 
just  do  some  research  on  corporate  governance  and  see  how  many  times  you  find 
a  reference  to  the  security  function  or  the  CSO  as  a  member  of  the  team.  You  won’t, 
I  promise. 


Connecting  the  Dots 

“I  was  so  busy,  I  never  saw  it  coming!”  This  from  the  line 
manager  who’s  just  fired  an  employee  for  misconduct. 
With  downsizing,  rightsizing  and  just  plain  working  our 
butts  off  to  do  more  with  less,  the  velocity  of  business  deal¬ 
ings  often  masks  control  weaknesses. 

Yes,  indeed.  It  is  the  rare  and  clever  CSO  who  under¬ 
stands  the  importance  of  getting  involved  in  the  gover¬ 
nance  of  his  business  organization  and  establishing  a 
policy  that  encourages  a  corporate  culture  that  'will  influ¬ 
ence  and  eventually  reinforce  the  integrity  of  the  entire 
organization. 

But  given  the  dynamics  of  risk  in  the  world  today,  can 
anyone  reliably  claim  that  their  organization  has  bullet¬ 
proof  safeguards  around  the  assets  that  contribute  to 
shareholder  value?  I  doubt  it.  Most  corporations  have  a 
limited  knowledge  of  risk  because  the  risk  analyses  they 
do  are  insufficient  to  uncover  key  vulnerabilities.  Yet  if  a 
company  isn’t  doing  effective  risk  analysis,  it  ■will  have  to 
assume  it  has  exploitable  ■vulnerabilities.  (I  underscore 
exploitable  because  risk  is  increased  as  vulnerabilities 
become  kno’vvn  to  an  increasingly  large  group  of  knowl¬ 
edgeable,  trusted  and  empowered  insiders.) 

Security  is  in  a  position  to  see  such  weak¬ 
nesses  in  its  investigative  findings  and 
should  influence  managers  to  pause 
and  understand  the  risks  we  are  all 
charged  with  monitoring.  In 
fact,  we  have  a  fiduciary  obli¬ 
gation  to  ensure  such  vul¬ 
nerabilities  are  addressed 
at  a  sufficient  level  to 
deter  opportunity.  That 
dictates  one  part  com¬ 
mon  sense  and  three 
parts  due  diligence. 

Got  Supervision? 

First-line  managers  are 
the  key  to  maintaining  a 
climate  of  integrity  and 
effective  risk  management. 
Even  when  top  management 
makes  its  commitment  to 
integrity  clear,  the  action  is  in  the 
trenches.  Unless  supervisors  are  risk- 
aware  and  work  within  an  accountability  model 
that  makes  their  roles  clear,  they  are  not  likely  to  be 
part  of  an  effective  system  of  controls. 

Beyond  the  internal  supervision,  outsourcing  and  off¬ 
shore  relationships  are  also  integral  parts  of  the  compet¬ 
itive  environment.  Yet  we  are  increasingly  assigning 
high-risk  jobs  to  indmduals  or  vendors  about  whom  we 
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know  very  little  or  nothing.  Our  relation¬ 
ships  with  these  outside  organizations  need 
to  follow  our  integrity  model— we  must  insist 
that  they  apply  the  same  standards  of  ethical 
expectations  to  themselves  as  we  do  to  our 
own  organization.  Easy  to  say,  but  not  so 
easy  to  do. 

Where  is  the  CSO’s  role  here?  Think 
back  to  the  “I-was-so-busy-I-never-saw-it- 
coming”  guy.  “Look,”  he  says,  “it’s  your  job  to 
give  us  a  heads  up!  You  guys  in  security  may 
see  this  stuff  as  a  routine  part  of  your  job,  but 
I’ve  got  a  committed  team  here  busy  working 
24/7,  and  we  didn’t  have  a  clue.” 

If  your  culture  shoots  the  messengers  of 
bad  news,  don’t  be  surprised  when  various 


managers— even  those  who  have  been  dili¬ 
gent  enough  to  have  “seen  it  coming”— may 
clam  up  when  concerns  are  aroused.  Explore 
this  issue  in  your  organization.  You’ll  proba¬ 
bly  discover  that  a  lack  of  notice  is  more 
indicative  of  a  climate  of  fear  or  wagon 
circling  than  anything  else. 

Then  there  are  the  interesting  places  we 
find  ourselves  housing  critical  business 
processes.  We  are  working  in  very  complex 
global  and  technical  environments.  We 
depend  on  global  data  networks  and  dis¬ 
persed  computing  environments  that  live 
within  very  risky  local  infrastructures  with 
differing  standards  of  care.  While  it  is  rec¬ 
ognized  that  a  resilient  recovery  strategy  is 
essential,  don’t  forget  that  the  cultural  issues 
around  corporate  hygiene  can  land  you  on 
the  front  page  of  The  Wall  Street  Journal 
faster  than  you  can  say  “scandal.” 

And  then  there’s  honesty.  It’s  acknowl¬ 
edged  that  the  “honesty  quotient”  within  our 
workforce  has  declined  during  the  past  few 
decades.  Don’t  argue  with  me— the  evidence 
is  everywhere.  Effective  background  investi¬ 
gations,  however,  will  screen  out  the  most 
serious  threats. 


On  the  Radar 

If  you  think  the  rank  and  file  doesn’t  watch 
to  see  how  the  stars  get  treated  when  they 
trip  and  fall,  you’re  fooling  yourself  And  the 
whole  process  of  integrity  administration  is 
up  for  question.  It’s  great  that  security  folks 
are  learning  new  things  and  passing  that 
information  along.  But  at  the  end  of  the  day, 
the  CSO  needs  to  translate  into  a  clearly 
articulated  set  of  expectations  the  view  from 
the  top.  And  that  needs  to  be  reinforced  by 
equally  consistent  applications. 

The  CSO  should  manage  a  formal  take¬ 
away  process  from  every  internal  miscon¬ 
duct  or  criminal  incident.  If  you  have  no 
plans  for  doing  post-incident  analysis  and 


sharing  lessons  learned,  your  organization 
is  destined  to  repeat  its  mistakes. 

What  would  you  think  about  a  business 
unit  that  had  either  multiple  or  a  broadly 
based  misconduct  experience  that  combined 
little  or  no  risk  analysis?  What  if  it  failed  to 
pay  attention  to  security  recommendations 
on  background  or  due  diligence  findings? 
What  if  it  didn’t  participate  in  post-incident 
learning  efforts  or  failed  to  hold  managers 
accountable  for  problems  on  their  watch? 

That’s  why  it’s  important  to  have  a  gover¬ 
nance  team.  That’s  where  it’s  important  to 
connect  the  dots. 

Security  and  other  inputs  from  colleagues 
on  the  governance  team  provide  a  vibrant 
picture  of  health  and  hygiene  in  the  com¬ 
pany.  A  quarterly  interchange  between 
human  resources,  security  and  internal  audit 
on  issues  within  specific  risk-ranked  busi¬ 
ness  units  can  yield  a  synergy— you  know, 
that  1+1-I-1-4  thing— on  assessing  the  ade¬ 
quacy  of  applicable  controls  and  influencing 
the  audit  plan.  When  presented  as  a  collab¬ 
orative  give-and-take  exercise  with  no  sur¬ 
prises,  the  result  can  be  very  positive  in  terms 
of  the  relationship  as  well  as  in  the  measur¬ 


able  improvement  of  issues  of  concern. 

And  where  proactive  doesn’t  work,  maybe 
the  courts  can  help  get  attention.  The 
Organizational  Sentencing  Guidelines  in  late 
1991  imposed  an  affirmative  duty  on  corpo¬ 
rations  to  create  compliance  programs  to 
detect  and  respond  to  criminal  misconduct. 
The  Sarbanes-Oxley  legislation,  in  response 
to  Enron  and  other  abuses,  reinforces  this 
precursor  and  pins  the  tail  on  the  CEO,  CFO 
and  the  board. 

Prior  cases  have  broadened  the  risk  aware¬ 
ness  parameters  of  the  officers  and  the  board, 
and  even  allowed  that  a  corporate  officer  can 
be  convicted  for  the  criminal  acts  of  subor¬ 
dinates— even  if  he  lacks  the  intent  and  has 
no  knowledge  of  the  specific  wrongdoing. 
The  concept  of  responsible  agent  expanded 
dramatically  in  the  Caremark  International 
ruling  in  1996-  In  that  case,  the  court  recog¬ 
nized  the  possibility  that  directors  could  be 
held  personally  accountable  for  a  failure  to 
detect  and  correct  violations.  The  court  rea¬ 
soned  that  the  board’s  failure  to  keep  itself 
informed  of  illegal  conduct  was  considered  a 
breach  of  the  requisite  duty  of  care. 

Perhaps  this  incremental  trend  of  corpo¬ 
rate  accountability  was  best  dramatized  by 
Time  magazine  celebrating  three  whistle¬ 
blowers  for  its  2002  Persons  of  the  Year. 

So,  where  does  this  bring  us? 

First,  it  argues  for  creating  a  role  for  the 
chief  security  officer  that  encompasses  a  360- 
degree  view  of  the  operational  risk  environ¬ 
ment.  It  means  letting  the  CSO  serve  as  a 
peer  with  the  other  members  of  the  senior 
corporate  governance  team.  The  CSO’s  abil¬ 
ity  to  connect  the  dots  within  his  scope 
resulting  in  a  perspective  unique  to  the  man¬ 
agement  team  is  an  asset  that  cannot  be 
missed  in  these  risky  times.  Second,  it  argues 
mightily  for  a  CSO  with  clear  strategic  and 
operational  accountability  for  the  full  scope 
of  security  functions. 

OK,  so  there  is  no  Baldrige  Award  for 
Corporate  Integrity.  But  there  is  a  booby 
prize:  If  companies  don’t  pay  attention  to 
ethical  behavior,  they’ll  reap  their  rewards 
with  a  lack  of  shareholder  confidence  and 
customer  defection.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  For 
reader  feedback,  e-mail  us  at  csoundercover  iicxo.com. 


If  you  have  no  plans  for  doing  post¬ 
incident  analysis  and  sharing  lessons  learned, 
your  organization  is  destined  to  repeat  its 
mistakes. 
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IstheBest 

Mew  Publication 

[But  you  already  knew  that,  didn’t  you?]  ? 


CSO  magazine  is  the  proud  recipient  of  the  prestigious 
2003  Jesse  H.  Neal  Award  for  “Best  New  Publication.” 
CSO  was  also  honored  as  first  runner-up  to  sister 
publication  CIO  magazine  for  the  Grand  Neal  Award— 
the  top  editorial  honor  granted  to  one  publication  from 
more  than  1,000  entries  across  all  categories  and 
circulation  sizes.  This  marks  the  first  time  a  new: 
publication  has  received  such  prestigious  recognition 
soearlyon.  I 


The  Neal  Award  judges  aren’t  the  only  ones  who  value 
CSO  magazine.  98%  of  CSO  readers  find  the  content 
of  CSO  relevant  to  their  jobs.*  .  , 


■^rl' 


Often  hailed  for  its  preeminence  as  the 
"Pulitzer  Prize  of  the  business  press,”  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 

■X-  SOURCE:  CSO  MAGAZINE  ‘SECURITY  SENSOR  II, ‘ 

DECEMBER  2002 


Pop  Quiz 


It’s  a  Fraud,  Fraud, 
Fraud,  Fraud  World 


Part  1:  The  Cheating  Masses 

1.  What  percentage  of  revenue  do  certified 
fraud  examiners  estimate  was  lost  in  2002 
due  to  occupational  fraud? 

a.  1  percent  b.  6  percent 

c.  10  percent  d. 17  percent 

2.  How  long  does  the  average  occupational 
fraud  scheme  last  before  being  detected? 

a.  one  month  b.  six  months 

c.  one  year  d.  18  months 

3.  True  or  False:  About  one  in  seven  fraud 
schemes  lasts  five  years  or  more  before 
being  detected. 

4.  Employees  tipping  off  auditors  is  the  most 
common  way  companies  detect  fraud.  What 
is  the  second  most  common  way  companies 
detect  fraud? 

a.  By  accident  b.  By  external  audit 

c.  By  internal  audit  d.  By  anonymous  tips 


5.  Which  of  the  following  do  certified  fraud 
examiners  consider  least  effective  in  pre¬ 
venting  fraud? 

a.  Anonymous  fraud  reporting  mechanisms 

b.  Ethics  training  for  employees 

c.  Workplace  surveillance 

d.  Background  checks  on  new  employees 

6.  What  is  the  approximate  ratio  of  male  to 
female  fraud  perpetrators? 

a.  1  to  1  b.  3  to  1 

c.  10  to  1  d.  50  to  1 

7.  What  is  the  approximate  ratio  of  losses 
from  fraud  by  male  perpetrators  to  female 
perpetrators? 

a.  1  to  1  b.  3  to  1 

c.  10  to  1  d.  50  to  1 


8.  True  or  False:  The  most  common  reason 
fraud  cases  don’t  go  to  court  is  because  the 
victim  company  lacks  the  evidence  to  con¬ 
vict  the  perpetrator. 

Part  2:  The  Cheating  Masses'  Role  Models 

9.  What  percentage  of  corporate  executives 
said  that  in  golf  they  undercount  strokes, 
improve  their  lie  or  otherwise  participate  in 
activities  considered  cheating? 

a. 10  percent  b.  67  percent 
c.  82  percent  d.  99  percent 

10.  What  percentage  of  the  same  executives 
said  they  are  “honest  at  golf”? 

a. 10  percent  b.  67  percent 

c.  82  percent  d.  99  percent 

11.  What  percentage  of  the  same  executives 
said  they  hate  it  when  others  cheat? 

a. 10  percent  b.  67  percent 

c.  82  percent  d.  99  percent 

12.  What  percentage  of  the  same  executives 
said  they  believed  a  person  who  cheats  at 
golf  would  probably  cheat  at  business? 

a. 10  percent  b.  67  percent 

c.  82  percent  d.  99  percent 

13.  What  percentage  of  the  same  executives 
said  they  are  personally  honest  in  business? 

a.  10  percent  b.  67  percent 

c.  82  percent  d.  99  percent 

Bonus  Question 

True  or  False:  There’s  a  sucker  born  every 
minute. 

SOURCES:  "2002  REPORT  TO  THE  NATION:  OCCUPATIONAL  FRAUD 
AND  ABUSE.'  BY  THE  ASSOCIATION  OF  CERTIFIED  FRAUD  EXAMINERS: 
APRIL  2002  SURVEY  OF  401  CORPORATE  EXECUTIVES,  COMMISSIONED 
BY  STARWOOD  HOTELS  &  RESORTS 
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How’d 
You  Do? 


0-4  correct:  “Rather  fail  with 
honor  than  succeed  by  fraud." 


5-11  correct:  “Whomever  is 
detected  in  a  shameful  fraud  is 
ever  after  not  believed....’’ 


12-14  correct:  “If  it  sounds  too 
good  to  be  true,  it  is  probably 
a  fraud.” 
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ILLUSTRATION  BY  PETER  FERGUSON 


Advanced  Threat  Protection 


As  the  most  versatile  IDS  available,  StealthWatch™  rapidly  identifies,  prioritizes  and  mitigates  malicious 
network,  system  and  host  behavior  by  dynamically  detecting  deviations  from  typical  profiles  and 
acceptable  security  policies.  More  than  an  IDS,  StealthWatch  provides  a  continuous  assessment  of  risks  and 
policy  compliance,  insightful  forensic  analysis,  and  optimization  of  network  traffic. 


Request  your  free  white  paper  "Behavior-based  IDS:  StealthWatch  Overview  and  Deployment 
Methodology"  at  http://www.lancope.com 


StealthWatch  and  Lancope  are  Registered  Trademarks  of  Lancope,  Inc. 
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BETTER  MANAGEMENT  DOES. 

The  secret  to  a  secure  enterprise  lies  in  not  just  monitoring  the  parts,  but  managing  it  as  a 
whole.  That's  exactly  what  eTrust™  lets  you  do.  In  fact,  our  eTrust™  Security  Command  Center 
is  the  perfect  solution  to  security  information  overload.  It  gives  you  the  big  picture  from  a  single 
vantage  point,  with  all  your  event  information  prioritized.  So  you  can  identify  actual  internal 
and  external  threats  before  they  can  wreak  havoc.  Anything  less  would  be,  well,  alarming. 


eTrust™ 


ACCESS  •  THREAT  •  IDENTITY 
SECURITY  MANAGEMENT  SOFTWARE 
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